npm - nodemailer - Versions diffs - 7.0.9 → 7.0.11 - Mend

nodemailer 7.0.9 → 7.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.release-please-config.json +6 -6
package/CHANGELOG.md +14 -0
package/lib/addressparser/index.js +19 -3
package/lib/mail-composer/index.js +16 -3
package/lib/smtp-connection/index.js +2 -2
package/package.json +7 -7

package/.release-please-config.json CHANGED Viewed

@@ -1,9 +1,9 @@
 {
-  "packages": {
-    ".": {
-      "release-type": "node",
-      "package-name": "nodemailer",
-      "pull-request-title-pattern": "chore${scope}: release ${version} [skip-ci]"
+    "packages": {
+        ".": {
+            "release-type": "node",
+            "package-name": "nodemailer",
+            "pull-request-title-pattern": "chore${scope}: release ${version} [skip-ci]"
+        }
     }
-  }
 }

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # CHANGELOG
+## [7.0.11](https://github.com/nodemailer/nodemailer/compare/v7.0.10...v7.0.11) (2025-11-26)
+### Bug Fixes
+* prevent stack overflow DoS in addressparser with deeply nested groups ([b61b9c0](https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150))
+## [7.0.10](https://github.com/nodemailer/nodemailer/compare/v7.0.9...v7.0.10) (2025-10-23)
+### Bug Fixes
+* Increase data URI size limit from 100KB to 50MB and preserve content type ([28dbf3f](https://github.com/nodemailer/nodemailer/commit/28dbf3fe129653f5756c150a98dc40593bfb2cfe))
 ## [7.0.9](https://github.com/nodemailer/nodemailer/compare/v7.0.8...v7.0.9) (2025-10-07)

package/lib/addressparser/index.js CHANGED Viewed

@@ -4,9 +4,10 @@
  * Converts tokens for a single address into an address object
  *
  * @param {Array} tokens Tokens object
+ * @param {Number} depth Current recursion depth for nested group protection
  * @return {Object} Address object
  */
-function _handleAddress(tokens) {
+function _handleAddress(tokens, depth) {
     let isGroup = false;
     let state = 'text';
     let address;
@@ -87,7 +88,7 @@ function _handleAddress(tokens) {
         // Parse group members, but flatten any nested groups (RFC 5322 doesn't allow nesting)
         let groupMembers = [];
         if (data.group.length) {
-            let parsedGroup = addressparser(data.group.join(','));
+            let parsedGroup = addressparser(data.group.join(','), { _depth: depth + 1 });
             // Flatten: if any member is itself a group, extract its members into the sequence
             parsedGroup.forEach(member => {
                 if (member.group) {
@@ -299,6 +300,13 @@ class Tokenizer {
     }
 }
+/**
+ * Maximum recursion depth for parsing nested groups.
+ * RFC 5322 doesn't allow nested groups, so this is a safeguard against
+ * malicious input that could cause stack overflow.
+ */
+const MAX_NESTED_GROUP_DEPTH = 50;
 /**
  * Parses structured e-mail addresses from an address field
  *
@@ -311,10 +319,18 @@ class Tokenizer {
  *     [{name: 'Name', address: 'address@domain'}]
  *
  * @param {String} str Address field
+ * @param {Object} options Optional options object
+ * @param {Number} options._depth Internal recursion depth counter (do not set manually)
  * @return {Array} An array of address objects
  */
 function addressparser(str, options) {
     options = options || {};
+    let depth = options._depth || 0;
+    // Prevent stack overflow from deeply nested groups (DoS protection)
+    if (depth > MAX_NESTED_GROUP_DEPTH) {
+        return [];
+    }
     let tokenizer = new Tokenizer(str);
     let tokens = tokenizer.tokenize();
@@ -339,7 +355,7 @@ function addressparser(str, options) {
     }
     addresses.forEach(address => {
-        address = _handleAddress(address);
+        address = _handleAddress(address, depth);
         if (address.length) {
             parsedAddresses = parsedAddresses.concat(address);
         }

package/lib/mail-composer/index.js CHANGED Viewed

@@ -575,14 +575,27 @@ class MailComposer {
             return element;
         }
-        if (dataUrl.length > 100000) {
-            // 100KB limit for data URL string
+        if (dataUrl.length > 52428800) {
+            // 52428800 chars = 50MB limit for data URL string (~37.5MB decoded image)
+            // Extract content type before rejecting to preserve MIME type
+            let detectedType = 'application/octet-stream';
+            const commaPos = dataUrl.indexOf(',');
+            if (commaPos > 0 && commaPos < 200) {
+                // Parse header safely with size limit
+                const header = dataUrl.substring(5, commaPos); // skip 'data:'
+                const parts = header.split(';');
+                if (parts[0] && parts[0].includes('/')) {
+                    detectedType = parts[0].trim();
+                }
+            }
             // Return empty content for excessively long data URLs
             return Object.assign({}, element, {
                 path: false,
                 href: false,
                 content: Buffer.alloc(0),
-                contentType: element.contentType || 'application/octet-stream'
+                contentType: element.contentType || detectedType
             });
         }

package/lib/smtp-connection/index.js CHANGED Viewed

@@ -1147,8 +1147,8 @@ class SMTPConnection extends EventEmitter {
             }
             notify = notify.map(n => n.trim().toUpperCase());
             let validNotify = ['NEVER', 'SUCCESS', 'FAILURE', 'DELAY'];
-            let invaliNotify = notify.filter(n => !validNotify.includes(n));
-            if (invaliNotify.length || (notify.length > 1 && notify.includes('NEVER'))) {
+            let invalidNotify = notify.filter(n => !validNotify.includes(n));
+            if (invalidNotify.length || (notify.length > 1 && notify.includes('NEVER'))) {
                 throw new Error('notify: ' + JSON.stringify(notify.join(',')));
             }
             notify = notify.join(',');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "nodemailer",
-    "version": "7.0.9",
+    "version": "7.0.11",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
@@ -26,20 +26,20 @@
     },
     "homepage": "https://nodemailer.com/",
     "devDependencies": {
-        "@aws-sdk/client-sesv2": "3.901.0",
+        "@aws-sdk/client-sesv2": "3.940.0",
         "bunyan": "1.8.15",
         "c8": "10.1.3",
-        "eslint": "^9.37.0",
-        "eslint-config-prettier": "^10.1.8",
-        "globals": "^16.4.0",
+        "eslint": "9.39.1",
+        "eslint-config-prettier": "10.1.8",
+        "globals": "16.5.0",
         "libbase64": "1.3.0",
         "libmime": "5.3.7",
         "libqp": "2.1.1",
         "nodemailer-ntlm-auth": "1.0.4",
-        "prettier": "^3.6.2",
+        "prettier": "3.6.2",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
-        "smtp-server": "3.14.0"
+        "smtp-server": "3.16.1"
     },
     "engines": {
         "node": ">=6.0.0"