GHSA-fv2f-rw9f-v9cmHigh
smtp-server's command parser memory exhaustion denial-of-service
🔗 CVE IDs covered (1)
📋 Description
smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server's command parser allows any remote client to consume server memory by sending data without newline characters. The server's _remainder buffer in SMTPStream._write grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash.
The _write method in lib/smtp-stream.js appends incoming TCP chunks to this._remainder in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the _remainder value will grow indefinitely, causing excess memory consumption.
🎯 Affected products1
- npm/smtp-server:< 3.18.3
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2026-38728
- https://bytecreator.dev/blog/CVE-2026-38728
- https://github.com/nodemailer/smtp-server
- https://github.com/nodemailer/smtp-server/releases/tag/v3.18.3
- https://github.com/nodemailer/smtp-server/commit/592c5666fa0c76d1d04c1a32abad0ef806fbfe97
- https://github.com/advisories/GHSA-fv2f-rw9f-v9cm