GHSA-rcmh-qjqh-p98v: Add Maven webjar (org.webjars.npm:nodemailer) as affected package#7913
Open
albertabiev1 wants to merge 1 commit into
Conversation
…HSA-rcmh-qjqh-p98v The vulnerable addressparser code (lib/addressparser/index.js) was internalized into nodemailer starting from v3.0.0. Maven WebJar versions >= 3.0.0 bundle this file and are affected. Pre-3.x webjar versions are not affected — they do not contain addressparser code, and the transitive npm dependency chain (mailcomposer → buildmail → addressparser) is broken in the Maven ecosystem because buildmail was never published as a webjar.
github-actions
Bot
changed the base branch from
main
to
albertabiev1/advisory-improvement-7913
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
org.webjars.npm:nodemailer(Maven ecosystem) as an affected package for GHSA-rcmh-qjqh-p98v (CVE-2025-14874).Details
The vulnerable
addressparsercode (lib/addressparser/index.js) was internalized into the nodemailer package starting from v3.0.0 (commit 6218b8df, 2017-01-31). The Maven WebJar versions of nodemailer (org.webjars.npm:nodemailer) that are >= 3.0.0 bundle this file inside the JAR underMETA-INF/resources/webjars/nodemailer/<version>/lib/addressparser/index.jsand are therefore affected.Pre-3.x webjar versions (2.4.2, 2.7.2) are NOT affected because:
addressparsercode — verified by extracting the JARs from Maven Centralmailcomposer → buildmail → addressparser) is broken in the Maven ecosystem becausebuildmailwas never published as a webjar (webjars/webjars#1186 documents this class of missing transitive dependency)node_modules— each npm package is a separate JAR, and npm dependencies are mapped to Maven POM<dependency>entries (source)Affected Maven WebJar versions on Maven Central: 4.6.5, 6.3.1, 6.10.1 (all contain
lib/addressparser/index.js)Not affected Maven WebJar versions: 2.4.2, 2.7.2 (no addressparser code)
No fixed webjar version exists —
7.0.11has not been published as a webjar.References