Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on smtp-server (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.18.3.
DescriptionCVE.org
An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
AnalysisAI
Memory exhaustion vulnerability in Nodemailer smtp-server before v3.18.3 enables remote denial of service attacks through unbounded command line processing. The vulnerability allows unauthenticated attackers to crash SMTP services by sending oversized commands that exhaust server memory. Public exploit code exists and the issue is rated as highly automatable by CISA SSVC framework, though not yet listed in CISA KEV.
Technical ContextAI
The smtp-server package is a Node.js SMTP server implementation used by Nodemailer for receiving email. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) where the SMTPStream._write function in lib/smtp-stream.js fails to limit the length of incoming SMTP command lines. This allows attackers to send arbitrarily long commands that consume excessive memory, eventually causing the server process to crash or become unresponsive.
RemediationAI
Vendor-released patch: upgrade to smtp-server version 3.18.3 or later, which implements command line length limits to prevent memory exhaustion. The fix is available at https://github.com/nodemailer/smtp-server/releases/tag/v3.18.3. For systems that cannot immediately upgrade, implement rate limiting on SMTP connections and monitor memory usage with automated service restart capabilities. Consider placing a reverse proxy with request size limits in front of the SMTP server, though this may interfere with legitimate large emails.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30546
GHSA-fv2f-rw9f-v9cm