New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update dependency nodemailer to v6.9.9 [security] - autoclosed #5236
Conversation
✅ Deploy Preview for dev-web-novu ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
23781e1
to
39a90a9
Compare
7941ce2
to
a4e5659
Compare
48255e7
to
436c0be
Compare
436c0be
to
73c74ea
Compare
✅ Deploy Preview for novu-design ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
78e635e
to
e106194
Compare
fa5ff51
to
e7984e1
Compare
e7984e1
to
b034303
Compare
Hey there and thank you for opening this pull request! 👋 We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted. Your PR title is: Details:
|
cc @rifont |
This PR contains the following updates:
6.9.1
->6.9.9
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
GHSA-9h6g-pr28-7cqp
Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter
attachDataUrls
set, causing the stuck of event loop.Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
Details
Regex: /^data:((?:[^;];)(?:[^,])),(.)$/
Path: compile -> getAttachments -> _processDataUrl
Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/
Path: _convertDataImages
PoC
https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
Impact
ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.
Release Notes
nodemailer/nodemailer (nodemailer)
v6.9.9
Compare Source
Bug Fixes
v6.9.8
Compare Source
Bug Fixes
v6.9.7
Compare Source
Bug Fixes
v6.9.6
Compare Source
Bug Fixes
v6.9.5
Compare Source
Bug Fixes
v6.9.4
Compare Source
v6.9.3
Compare Source
v6.9.2
Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.