Description
An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
Published: 2026-05-15
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Nodemailer's smtp_server, specifically within the SMTPStream._write component of lib/smtp-stream.js. A remote attacker can leverage this flaw to make the server unresponsive, resulting in a denial‑of‑service condition. The weakness is classified under CWE‑400 and does not allow code execution or data disclosure.

Affected Systems

The affected product is Nodemailer's smtp_server. Any installation using a version older than 3.18.3 is vulnerable. The official fix is available in release v3.18.3 on GitHub.

Risk and Exploitability

The CVSS severity score is 7.5, indicating a high level of risk. Because no EPSS score is reported and the vulnerability is not listed in CISA's KEV catalog, the overall exploitation probability is unknown, yet the DoS impact can be significant if the SMTP server is exposed to the internet. The flaw can be triggered remotely by sending crafted SMTP commands to the _write method. A straightforward mitigation is to upgrade the library; otherwise, limiting exposure via network controls can reduce risk.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nodemailer smtp_server library to version 3.18.3 or later using npm install @nodemailer/smtp-server@latest or yarn add @nodemailer/smtp-server@latest.
  • If an immediate upgrade is not feasible, harden the surrounding network perimeter by blocking or rate‑limiting unauthenticated inbound SMTP connections using firewalls or reverse‑proxy controls to prevent the attacker from reaching the vulnerable _write path.
  • After applying a patch or network changes, monitor server logs for SMTPStream errors and verify that the SMTP server remains responsive under normal load.

Generated by OpenCVE AI on May 15, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Nodemailer smtp_server Denial of Service via SMTPStream._write

Fri, 15 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Nodemailer smtp_server Denial of Service via SMTPStream._write

Fri, 15 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-15T15:28:53.678Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38728

cve-icon Vulnrichment

Updated: 2026-05-15T15:28:48.585Z

cve-icon NVD

Status : Received

Published: 2026-05-15T15:16:51.197

Modified: 2026-05-15T16:16:14.463

Link: CVE-2026-38728

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:00:05Z

Weaknesses