### Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls
set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
### Details
Regex: /^data:((?:[^;];)(?:[^,])),(.)$/
Path: compile -> getAttachments -> _processDataUrl
Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/
Path: _convertDataImages
### PoC
https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
### Impact
ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.
Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
---|---|---|---|---|---|
nodemailer | npm | - | - | <=6.9.8 | Not yet available |
Severity and metrics
No CVSS data available from this source.