-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nodemailer security vulnerability #4339
Comments
@srihakum, thanks for reporting this. Would you like to submit a PR? Thanks. |
Please note: if your application is not using LoopBack's built-in As the first step, we need you to compile a list of breaking changes made by |
The related breaking changes would be:
|
released as 3.28.0 🎉 |
The version of node module
nodemailer
is quite old and affected by the below mentioned security vulnerability. Fix is required on Loopback 3 as wellCVE-2020-7769:
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Scanning the latest shows that we're pulling in [email protected], which is old than recommended! Looking at the code in that old version (https://github.com/nodemailer/nodemailer/blob/533b94593f133cf353bca4b2648c1fb8326b7d0e/lib/sendmail-transport/index.js) the problem is still there.
The text was updated successfully, but these errors were encountered: