Fix: Upgrade Nodemailer to address SMTP command injection vulnerability (#19151)

📄 Summary This PR upgrades the nodemailer dependency to a secure version (≥ 8.0.4) to fix a known SMTP command injection vulnerability (GHSA-c7w3-x93f-qmm8). 🚨 Issue The current version used in twenty-server (^7.0.11, resolved to 7.0.11 / 7.0.13) is vulnerable to SMTP command injection due to improper sanitization of the envelope.size parameter. This could allow CRLF injection, potentially enabling attackers to add unauthorized recipients to outgoing emails. 🔍 Root Cause The vulnerability originates from insufficient validation of user-controlled input in the SMTP envelope, specifically the size field, which can be exploited via crafted input containing CRLF sequences. ✅ Changes Upgraded nodemailer to version ^8.0.4 Ensured compatibility with existing email sending logic Verified that no breaking changes affect current usage 🔐 Security Impact This update mitigates the risk of: SMTP command injection Unauthorized email recipient manipulation Potential data leakage via crafted email payloads 📎 References GHSA: GHSA-c7w3-x93f-qmm8 CVE: (see linked report in issue) --------- Co-authored-by: Félix Malfait <felix.malfait@gmail.com> Co-authored-by: Charles Bochet <charlesBochet@users.noreply.github.com>
2026-04-21 13:37:22 +00:00 · 2026-03-31 21:55:50 +02:00 · 2026-03-31 21:55:50 +02:00 · 36dece43c7
commit 36dece43c7
parent ac8e0d4217
5 changed files with 13 additions and 19 deletions
--- a/package.json
+++ b/package.json
@ -180,6 +180,7 @@
    "graphql": "16.8.1",
    "type-fest": "4.10.1",
    "typescript": "5.9.2",
+    "nodemailer": "8.0.4",
    "graphql-redis-subscriptions/ioredis": "^5.6.0",
    "@lingui/core": "5.1.2",
    "@types/qs": "6.9.16",
--- a/packages/twenty-server/package.json
+++ b/packages/twenty-server/package.json
@ -150,7 +150,7 @@
    "ms": "2.1.3",
    "nest-commander": "^3.19.1",
    "node-ical": "^0.20.1",
-    "nodemailer": "^7.0.11",
+    "nodemailer": "^8.0.4",
    "openapi-types": "12.1.3",
    "openid-client": "^5.7.0",
    "otplib": "^12.0.1",
--- a/packages/twenty-server/src/engine/core-modules/application/application-package/constants/seed-dependencies/package.json
+++ b/packages/twenty-server/src/engine/core-modules/application/application-package/constants/seed-dependencies/package.json
@ -37,7 +37,7 @@
    "lodash.pickby": "^4.6.0",
    "lodash.snakecase": "^4.1.1",
    "lodash.upperfirst": "^4.3.1",
-    "nodemailer": "^7.0.11",
+    "nodemailer": "^8.0.4",
    "sharp": "^0.34.5",
    "uuid": "^10.0.0",
    "winston": "^3.14.2"
--- a/packages/twenty-server/src/engine/core-modules/application/application-package/constants/seed-dependencies/yarn.lock
+++ b/packages/twenty-server/src/engine/core-modules/application/application-package/constants/seed-dependencies/yarn.lock
@ -2195,10 +2195,10 @@ __metadata:
  languageName: node
  linkType: hard

-"nodemailer@npm:^7.0.11":
-  version: 7.0.11
-  resolution: "nodemailer@npm:7.0.11"
-  checksum: 10c0/208f108fdb4c5dd0e3a2f013578d53dad505cf1b9c7a084f6d22fc9d6f3912daafb4a23793ca568ff848afc35f15f4eb24382d3f6f9fb8ede4a8410d4ca63618
+"nodemailer@npm:^8.0.4":
+  version: 8.0.4
+  resolution: "nodemailer@npm:8.0.4"
+  checksum: 10c0/5fb6fa72645b541c18b84b861de46f4740449e1d7c987b4d9ef715d815d613f93262225bc319e217df6215d6f123efadb9a412dcf937fe0a41cbecf279dfb2a0
  languageName: node
  linkType: hard

@ -2510,7 +2510,7 @@ __metadata:
    lodash.pickby: "npm:^4.6.0"
    lodash.snakecase: "npm:^4.1.1"
    lodash.upperfirst: "npm:^4.3.1"
-    nodemailer: "npm:^7.0.11"
+    nodemailer: "npm:^8.0.4"
    sharp: "npm:^0.34.5"
    uuid: "npm:^10.0.0"
    winston: "npm:^3.14.2"
--- a/yarn.lock
+++ b/yarn.lock
@ -49309,17 +49309,10 @@ __metadata:
  languageName: node
  linkType: hard

-"nodemailer@npm:7.0.11":
-  version: 7.0.11
-  resolution: "nodemailer@npm:7.0.11"
-  checksum: 10c0/208f108fdb4c5dd0e3a2f013578d53dad505cf1b9c7a084f6d22fc9d6f3912daafb4a23793ca568ff848afc35f15f4eb24382d3f6f9fb8ede4a8410d4ca63618
-  languageName: node
-  linkType: hard
-
-"nodemailer@npm:7.0.13, nodemailer@npm:^7.0.11":
-  version: 7.0.13
-  resolution: "nodemailer@npm:7.0.13"
-  checksum: 10c0/b26aa5b9fa4a033bbc1e1c16ef75ee2a9c8641fd290c00a8361d6a251b3c1b8bad545a23efa627f59cb266340a448891ea8aa49d8a9307c767b8505219d95079
+"nodemailer@npm:8.0.4":
+  version: 8.0.4
+  resolution: "nodemailer@npm:8.0.4"
+  checksum: 10c0/5fb6fa72645b541c18b84b861de46f4740449e1d7c987b4d9ef715d815d613f93262225bc319e217df6215d6f123efadb9a412dcf937fe0a41cbecf279dfb2a0
  languageName: node
  linkType: hard

@ -59980,7 +59973,7 @@ __metadata:
    ms: "npm:2.1.3"
    nest-commander: "npm:^3.19.1"
    node-ical: "npm:^0.20.1"
-    nodemailer: "npm:^7.0.11"
+    nodemailer: "npm:^8.0.4"
    openapi-types: "npm:12.1.3"
    openid-client: "npm:^5.7.0"
    otplib: "npm:^12.0.1"