nodemailer 7.0.10 → 7.0.11

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # CHANGELOG
 
+## [7.0.11](https://github.com/nodemailer/nodemailer/compare/v7.0.10...v7.0.11) (2025-11-26)
+
+
+### Bug Fixes
+
+* prevent stack overflow DoS in addressparser with deeply nested groups ([b61b9c0](https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150))
+
 ## [7.0.10](https://github.com/nodemailer/nodemailer/compare/v7.0.9...v7.0.10) (2025-10-23)
 
 

package/lib/addressparser/index.js

@@ -4,9 +4,10 @@
  * Converts tokens for a single address into an address object
  *
  * @param {Array} tokens Tokens object
+ * @param {Number} depth Current recursion depth for nested group protection
  * @return {Object} Address object
  */
-function _handleAddress(tokens) {
+function _handleAddress(tokens, depth) {
     let isGroup = false;
     let state = 'text';
     let address;
@@ -87,7 +88,7 @@ function _handleAddress(tokens) {
         // Parse group members, but flatten any nested groups (RFC 5322 doesn't allow nesting)
         let groupMembers = [];
         if (data.group.length) {
-            let parsedGroup = addressparser(data.group.join(','));
+            let parsedGroup = addressparser(data.group.join(','), { _depth: depth + 1 });
             // Flatten: if any member is itself a group, extract its members into the sequence
             parsedGroup.forEach(member => {
                 if (member.group) {
@@ -299,6 +300,13 @@ class Tokenizer {
     }
 }
 
+/**
+ * Maximum recursion depth for parsing nested groups.
+ * RFC 5322 doesn't allow nested groups, so this is a safeguard against
+ * malicious input that could cause stack overflow.
+ */
+const MAX_NESTED_GROUP_DEPTH = 50;
+
 /**
  * Parses structured e-mail addresses from an address field
  *
@@ -311,10 +319,18 @@ class Tokenizer {
  *     [{name: 'Name', address: 'address@domain'}]
  *
  * @param {String} str Address field
+ * @param {Object} options Optional options object
+ * @param {Number} options._depth Internal recursion depth counter (do not set manually)
  * @return {Array} An array of address objects
  */
 function addressparser(str, options) {
     options = options || {};
+    let depth = options._depth || 0;
+
+    // Prevent stack overflow from deeply nested groups (DoS protection)
+    if (depth > MAX_NESTED_GROUP_DEPTH) {
+        return [];
+    }
 
     let tokenizer = new Tokenizer(str);
     let tokens = tokenizer.tokenize();
@@ -339,7 +355,7 @@ function addressparser(str, options) {
     }
 
     addresses.forEach(address => {
-        address = _handleAddress(address);
+        address = _handleAddress(address, depth);
         if (address.length) {
             parsedAddresses = parsedAddresses.concat(address);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "nodemailer",
-    "version": "7.0.10",
+    "version": "7.0.11",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
@@ -26,12 +26,12 @@
     },
     "homepage": "https://nodemailer.com/",
     "devDependencies": {
-        "@aws-sdk/client-sesv2": "3.914.0",
+        "@aws-sdk/client-sesv2": "3.940.0",
         "bunyan": "1.8.15",
         "c8": "10.1.3",
-        "eslint": "9.38.0",
+        "eslint": "9.39.1",
         "eslint-config-prettier": "10.1.8",
-        "globals": "16.4.0",
+        "globals": "16.5.0",
         "libbase64": "1.3.0",
         "libmime": "5.3.7",
         "libqp": "2.1.1",
@@ -39,7 +39,7 @@
         "prettier": "3.6.2",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
-        "smtp-server": "3.15.0"
+        "smtp-server": "3.16.1"
     },
     "engines": {
         "node": ">=6.0.0"