GHSA-fv2f-rw9f-v9cmHigh

smtp-server's command parser memory exhaustion denial-of-service

Published
May 15, 2026
Last Modified
June 29, 2026

🔗 CVE IDs covered (1)

📋 Description

smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server's command parser allows any remote client to consume server memory by sending data without newline characters. The server's _remainder buffer in SMTPStream._write grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash.

The _write method in lib/smtp-stream.js appends incoming TCP chunks to this._remainder in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the _remainder value will grow indefinitely, causing excess memory consumption.

🎯 Affected products1

  • npm/smtp-server:< 3.18.3

🔗 References (6)