Skip to main content

smtp-server CVE-2026-38728

| EUVDEUVD-2026-30546 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-15 cve@mitre.org GHSA-fv2f-rw9f-v9cm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 15, 2026 - 17:31 vuln.today
Analysis Generated
May 15, 2026 - 17:31 vuln.today
CVSS changed
May 15, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 15, 2026 - 15:16 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on smtp-server (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.18.3.

DescriptionCVE.org

An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components

AnalysisAI

Memory exhaustion vulnerability in Nodemailer smtp-server before v3.18.3 enables remote denial of service attacks through unbounded command line processing. The vulnerability allows unauthenticated attackers to crash SMTP services by sending oversized commands that exhaust server memory. Public exploit code exists and the issue is rated as highly automatable by CISA SSVC framework, though not yet listed in CISA KEV.

Technical ContextAI

The smtp-server package is a Node.js SMTP server implementation used by Nodemailer for receiving email. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) where the SMTPStream._write function in lib/smtp-stream.js fails to limit the length of incoming SMTP command lines. This allows attackers to send arbitrarily long commands that consume excessive memory, eventually causing the server process to crash or become unresponsive.

RemediationAI

Vendor-released patch: upgrade to smtp-server version 3.18.3 or later, which implements command line length limits to prevent memory exhaustion. The fix is available at https://github.com/nodemailer/smtp-server/releases/tag/v3.18.3. For systems that cannot immediately upgrade, implement rate limiting on SMTP connections and monitor memory usage with automated service restart capabilities. Consider placing a reverse proxy with request size limits in front of the SMTP server, though this may interfere with legitimate large emails.

Share

CVE-2026-38728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy