nodemailer 9.0.2 → 9.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,12 @@
1
1
  # CHANGELOG
2
2
 
3
+ ## [9.0.3](https://github.com/nodemailer/nodemailer/compare/v9.0.2...v9.0.3) (2026-06-30)
4
+
5
+
6
+ ### Bug Fixes
7
+
8
+ * **smtp-connection:** harden STARTTLS upgrade and secure socket handling ([#1835](https://github.com/nodemailer/nodemailer/issues/1835)) ([07d8253](https://github.com/nodemailer/nodemailer/commit/07d8253326ecefff9f7d92c157429ce8bc7335f8))
9
+
3
10
  ## [9.0.2](https://github.com/nodemailer/nodemailer/compare/v9.0.1...v9.0.2) (2026-06-29)
4
11
 
5
12
 
@@ -11,7 +11,7 @@ class RelaxedBody extends Transform {
11
11
  options = options || {};
12
12
  this.chunkBuffer = [];
13
13
  this.chunkBufferLen = 0;
14
- this.bodyHash = crypto.createHash(options.hashAlgo || 'sha1');
14
+ this.bodyHash = crypto.createHash(options.hashAlgo || 'sha256');
15
15
  this.remainder = '';
16
16
  this.byteLength = 0;
17
17
 
@@ -298,6 +298,20 @@ class SMTPConnection extends EventEmitter {
298
298
  try {
299
299
  this._socket.connect(this.port, this.host, () => {
300
300
  this._socket.setKeepAlive(true);
301
+
302
+ // a `secure` connection over a caller-provided socket must still
303
+ // perform the TLS handshake, otherwise AUTH and the message body
304
+ // would be sent in cleartext despite the caller requesting TLS
305
+ if (this.secureConnection && !this.alreadySecured) {
306
+ return this._upgradeConnection(err => {
307
+ if (err) {
308
+ this._onError(new Error('Error initiating TLS - ' + (err.message || err)), 'ETLS', false, 'CONN');
309
+ return;
310
+ }
311
+ this._onConnect();
312
+ });
313
+ }
314
+
301
315
  this._onConnect();
302
316
  });
303
317
  this._setupConnectionHandlers();
@@ -1025,6 +1039,15 @@ class SMTPConnection extends EventEmitter {
1025
1039
  * has been secured
1026
1040
  */
1027
1041
  _upgradeConnection(callback) {
1042
+ // RFC 3207 section 6: the client MUST discard any knowledge obtained from
1043
+ // the server that was not received over the TLS-protected session. Drop any
1044
+ // buffered input received before the handshake so a man-in-the-middle cannot
1045
+ // inject plaintext bytes after the "220" reply (e.g. a CRLF-free fragment that
1046
+ // would otherwise be prepended to the first post-TLS response and parsed as
1047
+ // part of the secured EHLO capabilities). STARTTLS response injection.
1048
+ this._remainder = '';
1049
+ this._responseQueue = [];
1050
+
1028
1051
  // do not remove all listeners or it breaks node v0.10 as there's
1029
1052
  // apparently a 'finish' event set that would be cleared as well
1030
1053
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nodemailer",
3
- "version": "9.0.2",
3
+ "version": "9.0.3",
4
4
  "description": "Easy as cake e-mail sending from your Node.js applications",
5
5
  "main": "lib/nodemailer.js",
6
6
  "scripts": {