Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14602 vulnerabilities reference this CWE, most recent first.

GHSA-WQP8-4RW9-285H

Vulnerability from github – Published: 2025-01-16 21:31 – Updated: 2026-04-01 18:33
VLAI
Details

Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through 1.3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-23778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-16T21:15:19Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Pravin Durugkar User Sync ActiveCampaign allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Sync ActiveCampaign: from n/a through 1.3.2.",
  "id": "GHSA-wqp8-4rw9-285h",
  "modified": "2026-04-01T18:33:13Z",
  "published": "2025-01-16T21:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23778"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/registered-user-sync-activecampaign/vulnerability/wordpress-user-sync-activecampaign-plugin-1-3-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQPX-WP8J-GW7R

Vulnerability from github – Published: 2025-12-16 09:31 – Updated: 2026-01-20 15:32
VLAI
Details

Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-16T09:15:57Z",
    "severity": "CRITICAL"
  },
  "details": "Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through \u003c= 2.2.10.",
  "id": "GHSA-wqpx-wp8j-gw7r",
  "modified": "2026-01-20T15:32:14Z",
  "published": "2025-12-16T09:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66131"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/yaad-sarig-payment-gateway-for-wc/vulnerability/wordpress-yaad-sarig-payment-gateway-for-wc-plugin-2-2-10-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQQ2-M2PV-X493

Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-04-01 18:36
VLAI
Details

Missing Authorization vulnerability in Roxnor EmailKit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EmailKit: from n/a through 1.6.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T09:15:36Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Roxnor EmailKit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EmailKit: from n/a through 1.6.0.",
  "id": "GHSA-wqq2-m2pv-x493",
  "modified": "2026-04-01T18:36:21Z",
  "published": "2025-09-26T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60106"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/emailkit/vulnerability/wordpress-emailkit-plugin-1-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQR4-QR3F-X2R4

Vulnerability from github – Published: 2025-04-01 06:30 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in YayCommerce YayExtra allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YayExtra: from n/a through 1.5.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-31415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T06:15:56Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in YayCommerce YayExtra allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YayExtra: from n/a through 1.5.2.",
  "id": "GHSA-wqr4-qr3f-x2r4",
  "modified": "2026-04-01T18:34:18Z",
  "published": "2025-04-01T06:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31415"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/yayextra/vulnerability/wordpress-yayextra-1-5-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQR7-CF9Q-RVF7

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-08-05 00:00
VLAI
Details

Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33197"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-02T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Go before 1.15.12 and 1.16.x before 1.16.5 acts as an Unintended Proxy or Intermediary.",
  "id": "GHSA-wqr7-cf9q-rvf7",
  "modified": "2022-08-05T00:00:27Z",
  "published": "2022-05-24T19:09:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33197"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQV6-3FQW-FH53

Vulnerability from github – Published: 2024-04-17 09:30 – Updated: 2026-04-28 21:34
VLAI
Details

Missing Authorization vulnerability in Palscode Multi Currency For WooCommerce.This issue affects Multi Currency For WooCommerce: from n/a through 1.5.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T08:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Palscode Multi Currency For WooCommerce.This issue affects Multi Currency For WooCommerce: from n/a through 1.5.5.",
  "id": "GHSA-wqv6-3fqw-fh53",
  "modified": "2026-04-28T21:34:45Z",
  "published": "2024-04-17T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32516"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wc-multi-currency/wordpress-multi-currency-for-woocommerce-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQVQ-JVPQ-H66F

Vulnerability from github – Published: 2026-06-15 17:35 – Updated: 2026-06-15 17:35
VLAI
Summary
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
Details

Summary

Nodemailer's disableFileAccess and disableUrlAccess options are intended to prevent message content and attachments from reading local files or fetching URLs. The normal MIME streaming path enforces those options in MimeNode._getStream(). However, jsonTransport serializes messages by calling mail.normalize(), which resolves html, text, alternatives, calendar events, and attachments through shared.resolveContent() before MIME generation. shared.resolveContent() reads local files and fetches HTTP(S) URLs directly, without receiving or checking disableFileAccess or disableUrlAccess.

As a result, applications that use jsonTransport as a safe serializer or queue payload generator while relying on disableFileAccess / disableUrlAccess can still be made to read local files into the generated JSON output or make outbound HTTP requests when an attacker controls message content fields such as attachment path or text.href.

The same missing-enforcement root cause is also reachable before normal streaming when attachDataUrls causes _convertDataImages() to call mail.resolveContent(mail.data, 'html', ...); this should be fixed with the same access-control check.

Details

Source-to-sink evidence:

  • lib/nodemailer.js:42-45 selects JSONTransport when createTransport({ jsonTransport: true, ... }) is used.
  • lib/mailer/mail-message.js:34-39 copies transport-level disableFileAccess and disableUrlAccess options into mail.data.
  • lib/json-transport/index.js:52-76 serializes mail by calling mail.normalize((err, data) => ...).
  • lib/mailer/mail-message.js:46-135 implements resolveAll() and calls shared.resolveContent(...args, ...) for html, text, watchHtml, amp, icalEvent, alternatives, and attachments.
  • lib/shared/index.js:506-562 implements resolveContent().
  • lib/shared/index.js:540-541 fetches HTTP(S) content with nmfetch(content.path || content.href).
  • lib/shared/index.js:549-550 reads local files with fs.createReadStream(content.path).
  • shared.resolveContent() does not check disableFileAccess or disableUrlAccess and does not receive those flags.

Control path showing intended enforcement:

  • lib/mail-composer/index.js:358-359, lib/mail-composer/index.js:367-368, and sibling child-node creation paths pass disableUrlAccess and disableFileAccess into MimeNode.
  • lib/mime-node/index.js:51-52 stores those flags.
  • lib/mime-node/index.js:984-995 rejects file paths with EFILEACCESS when disableFileAccess is set.
  • lib/mime-node/index.js:998-1009 rejects URLs with EURLACCESS when disableUrlAccess is set.
  • test/mail-composer/mail-composer-test.js:1028-1044 includes a normal MIME-streaming test that expects file access to be blocked when disableFileAccess: true.

Additional same-root-cause variant:

  • lib/mailer/index.js:406-434 implements _convertDataImages() for attachDataUrls.
  • lib/mailer/index.js:407-410 calls mail.resolveContent(mail.data, 'html', ...) when attachDataUrls is enabled and mail.data.html is present.
  • Because mail.resolveContent() delegates to shared.resolveContent() at lib/mailer/mail-message.js:42-44, an object-form html: { path: ... } or html: { href: ... } can be resolved before the later MIME streaming enforcement sees the content.
  • This variant requires attachDataUrls to be enabled, so the main reportable default/common path is jsonTransport; both should be fixed by enforcing access flags inside the pre-resolution helper or passing policy into it.

Default/common exposure evidence:

  • jsonTransport is a shipped runtime transport selected by public createTransport options.
  • test/json-transport/json-transport-test.js:9-83 demonstrates that jsonTransport intentionally resolves file-backed html and attachments into JSON output.
  • disableFileAccess and disableUrlAccess are documented by code and tests as security controls and are copied from transport options into message data for all transports.
  • The bypass does not require test-only code, external infrastructure, unsupported configuration, or maintainer-only APIs.

False-positive screening and negative controls:

  • The local PoC used the same disableFileAccess: true and disableUrlAccess: true transport options for both jsonTransport and normal streamTransport controls.
  • jsonTransport read the temporary local fixture file and embedded the content in JSON despite disableFileAccess: true.
  • streamTransport with the same attachment and disableFileAccess: true rejected with EFILEACCESS.
  • jsonTransport fetched a local HTTP listener despite disableUrlAccess: true.
  • streamTransport with the same URL and disableUrlAccess: true rejected with EURLACCESS.
  • The local URL proof used only 127.0.0.1 and did not contact external infrastructure.

Affected version evidence and uncertainty:

  • Confirmed vulnerable: nodemailer 8.0.8 at commit 15138a84c543c20aa399218534cdbbfa2ea1ce55.
  • Git history shows jsonTransport has existed since commit d78b63b (2017-02-09, "Added test for json transport"), and disableFileAccess appears in historical setup commit 6218b8d (2017-01-31), but older versions were not dynamically tested during this audit.
  • Affected range is therefore recorded as unknown beyond the confirmed current version.
  • No patched version was identified in this checkout.

Severity rationale:

  • AV: The vulnerable library path is typically reached through an application-level message submission or rendering/queueing feature.
  • AC: A single message field using path or href triggers the bypass when jsonTransport is used.
  • PR: Conservative assumption that the attacker is a lower-privileged user of an application that accepts partially user-controlled message objects. Some deployments may expose this unauthenticated, but that was not assumed.
  • UI: No user interaction is required after the application accepts the message object.
  • S: The impact remains in the embedding application/library security scope.
  • C: Local file contents can be copied into the generated JSON output when the application later stores, logs, returns, or forwards that JSON.
  • I: The attacker can induce outbound HTTP requests to attacker-chosen or internal URLs from the application host when URL access was intended to be disabled.
  • A: No availability impact was demonstrated; the PoC used bounded local files and a localhost listener only.

Final self-review:

  • Reproduction evidence was generated locally from this checkout using only a temporary file under the OS temp directory and a local 127.0.0.1 HTTP listener.
  • The PoC included positive proof for file read and URL fetch, plus negative controls showing normal streamTransport rejects the same inputs with EFILEACCESS and EURLACCESS.
  • The proof is non-destructive, performs no external network traffic, and deletes its temporary fixture.
  • Reachability, package exposure, policy-enforcement bypass, same-root-cause variant, and false-positive controls were checked as described above.
  • The affected range is not overclaimed; only the current tested version is confirmed vulnerable.

PoC

From a clean checkout of nodemailer at commit 15138a84c543c20aa399218534cdbbfa2ea1ce55, run:

node <<'NODE'
'use strict';
const fs = require('fs');
const os = require('os');
const path = require('path');
const http = require('http');
const nodemailer = require('./');
const marker = 'NM_JSON_BYPASS_' + Date.now();
const fixture = path.join(os.tmpdir(), 'nodemailer-json-bypass-' + process.pid + '.txt');
fs.writeFileSync(fixture, marker);
function sendMail(transport, data) {
  return new Promise((resolve, reject) => transport.sendMail(data, (err, info) => err ? reject(err) : resolve(info)));
}
(async () => {
  const jsonTransport = nodemailer.createTransport({ jsonTransport: true, disableFileAccess: true, disableUrlAccess: true });
  const jsonInfo = await sendMail(jsonTransport, {
    from: 'sender@example.test',
    to: 'recipient@example.test',
    subject: 'json file bypass',
    text: 'body',
    attachments: [{ filename: 'secret.txt', path: fixture }]
  });
  const jsonMessage = JSON.parse(jsonInfo.message);
  const decoded = Buffer.from(jsonMessage.attachments[0].content, 'base64').toString('utf8');
  console.log('JSON_FILE_BYPASS=' + (decoded === marker));
  console.log('JSON_FILE_CONTENT=' + decoded);

  const streamTransport = nodemailer.createTransport({ streamTransport: true, buffer: true, disableFileAccess: true });
  try {
    await sendMail(streamTransport, {
      from: 'sender@example.test',
      to: 'recipient@example.test',
      subject: 'stream control',
      text: 'body',
      attachments: [{ filename: 'secret.txt', path: fixture }]
    });
    console.log('STREAM_FILE_CONTROL=NO_ERROR');
  } catch (err) {
    console.log('STREAM_FILE_CONTROL=' + err.code);
  }

  const server = http.createServer((req, res) => {
    console.log('LOCAL_HTTP_REQUEST=' + req.method + ' ' + req.url);
    res.end('LOCAL_HTTP_MARKER');
  });
  await new Promise(resolve => server.listen(0, '127.0.0.1', resolve));
  const url = 'http://127.0.0.1:' + server.address().port + '/private';
  const jsonUrlInfo = await sendMail(jsonTransport, {
    from: 'sender@example.test',
    to: 'recipient@example.test',
    subject: 'json url bypass',
    text: { href: url }
  });
  const jsonUrlMessage = JSON.parse(jsonUrlInfo.message);
  console.log('JSON_URL_BYPASS=' + (jsonUrlMessage.text === 'LOCAL_HTTP_MARKER'));
  const streamUrlTransport = nodemailer.createTransport({ streamTransport: true, buffer: true, disableUrlAccess: true });
  try {
    await sendMail(streamUrlTransport, {
      from: 'sender@example.test',
      to: 'recipient@example.test',
      subject: 'stream url control',
      text: { href: url }
    });
    console.log('STREAM_URL_CONTROL=NO_ERROR');
  } catch (err) {
    console.log('STREAM_URL_CONTROL=' + err.code);
  }
  server.close();
  fs.unlinkSync(fixture);
})().catch(err => { try { fs.unlinkSync(fixture); } catch (E) {} console.error(err && err.stack || err); process.exit(1); });
NODE

Observed output in this environment:

JSON_FILE_BYPASS=true
JSON_FILE_CONTENT=NM_JSON_BYPASS_1779802076150
STREAM_FILE_CONTROL=EFILEACCESS
LOCAL_HTTP_REQUEST=GET /private
JSON_URL_BYPASS=true
STREAM_URL_CONTROL=EURLACCESS

Expected vulnerable output: JSON_FILE_BYPASS=true, the printed temporary marker in JSON_FILE_CONTENT, a LOCAL_HTTP_REQUEST=GET /private line, and JSON_URL_BYPASS=true. Expected negative/control output: STREAM_FILE_CONTROL=EFILEACCESS and STREAM_URL_CONTROL=EURLACCESS, showing the same policy flags work in the normal streaming transport.

Cleanup: the PoC removes its temporary fixture file before exiting and closes the local HTTP server.

Impact

If an application uses jsonTransport to safely serialize or queue partially user-controlled Nodemailer message objects while relying on disableFileAccess / disableUrlAccess, an attacker can bypass those protections. The file-read variant can copy local file contents into the generated JSON message output. The URL-fetch variant can force outbound HTTP requests from the application host to local or internal services despite URL access being disabled. The impact depends on what message fields the embedding application exposes and where it stores or returns the generated JSON, but the local PoC confirms both protected sink operations are reached.

Suggested remediation

Enforce disableFileAccess and disableUrlAccess inside shared.resolveContent() or pass an explicit policy object into every pre-resolution call and reject protected path / href values before opening files or fetching URLs. Apply the same fix to jsonTransport normalization and the attachDataUrls pre-plugin path. Add regression tests showing jsonTransport returns EFILEACCESS / EURLACCESS for file and URL content when those flags are set, and that attachDataUrls cannot resolve object-form html.path / html.href when the corresponding access flag is disabled.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nodemailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:35:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nNodemailer\u0027s `disableFileAccess` and `disableUrlAccess` options are intended to prevent message content and attachments from reading local files or fetching URLs. The normal MIME streaming path enforces those options in `MimeNode._getStream()`. However, `jsonTransport` serializes messages by calling `mail.normalize()`, which resolves `html`, `text`, alternatives, calendar events, and attachments through `shared.resolveContent()` before MIME generation. `shared.resolveContent()` reads local files and fetches HTTP(S) URLs directly, without receiving or checking `disableFileAccess` or `disableUrlAccess`.\n\nAs a result, applications that use `jsonTransport` as a safe serializer or queue payload generator while relying on `disableFileAccess` / `disableUrlAccess` can still be made to read local files into the generated JSON output or make outbound HTTP requests when an attacker controls message content fields such as attachment `path` or `text.href`.\n\nThe same missing-enforcement root cause is also reachable before normal streaming when `attachDataUrls` causes `_convertDataImages()` to call `mail.resolveContent(mail.data, \u0027html\u0027, ...)`; this should be fixed with the same access-control check.\n\n### Details\nSource-to-sink evidence:\n\n- `lib/nodemailer.js:42-45` selects `JSONTransport` when `createTransport({ jsonTransport: true, ... })` is used.\n- `lib/mailer/mail-message.js:34-39` copies transport-level `disableFileAccess` and `disableUrlAccess` options into `mail.data`.\n- `lib/json-transport/index.js:52-76` serializes mail by calling `mail.normalize((err, data) =\u003e ...)`.\n- `lib/mailer/mail-message.js:46-135` implements `resolveAll()` and calls `shared.resolveContent(...args, ...)` for `html`, `text`, `watchHtml`, `amp`, `icalEvent`, alternatives, and attachments.\n- `lib/shared/index.js:506-562` implements `resolveContent()`.\n- `lib/shared/index.js:540-541` fetches HTTP(S) content with `nmfetch(content.path || content.href)`.\n- `lib/shared/index.js:549-550` reads local files with `fs.createReadStream(content.path)`.\n- `shared.resolveContent()` does not check `disableFileAccess` or `disableUrlAccess` and does not receive those flags.\n\nControl path showing intended enforcement:\n\n- `lib/mail-composer/index.js:358-359`, `lib/mail-composer/index.js:367-368`, and sibling child-node creation paths pass `disableUrlAccess` and `disableFileAccess` into `MimeNode`.\n- `lib/mime-node/index.js:51-52` stores those flags.\n- `lib/mime-node/index.js:984-995` rejects file paths with `EFILEACCESS` when `disableFileAccess` is set.\n- `lib/mime-node/index.js:998-1009` rejects URLs with `EURLACCESS` when `disableUrlAccess` is set.\n- `test/mail-composer/mail-composer-test.js:1028-1044` includes a normal MIME-streaming test that expects file access to be blocked when `disableFileAccess: true`.\n\nAdditional same-root-cause variant:\n\n- `lib/mailer/index.js:406-434` implements `_convertDataImages()` for `attachDataUrls`.\n- `lib/mailer/index.js:407-410` calls `mail.resolveContent(mail.data, \u0027html\u0027, ...)` when `attachDataUrls` is enabled and `mail.data.html` is present.\n- Because `mail.resolveContent()` delegates to `shared.resolveContent()` at `lib/mailer/mail-message.js:42-44`, an object-form `html: { path: ... }` or `html: { href: ... }` can be resolved before the later MIME streaming enforcement sees the content.\n- This variant requires `attachDataUrls` to be enabled, so the main reportable default/common path is `jsonTransport`; both should be fixed by enforcing access flags inside the pre-resolution helper or passing policy into it.\n\nDefault/common exposure evidence:\n\n- `jsonTransport` is a shipped runtime transport selected by public `createTransport` options.\n- `test/json-transport/json-transport-test.js:9-83` demonstrates that `jsonTransport` intentionally resolves file-backed `html` and attachments into JSON output.\n- `disableFileAccess` and `disableUrlAccess` are documented by code and tests as security controls and are copied from transport options into message data for all transports.\n- The bypass does not require test-only code, external infrastructure, unsupported configuration, or maintainer-only APIs.\n\nFalse-positive screening and negative controls:\n\n- The local PoC used the same `disableFileAccess: true` and `disableUrlAccess: true` transport options for both `jsonTransport` and normal `streamTransport` controls.\n- `jsonTransport` read the temporary local fixture file and embedded the content in JSON despite `disableFileAccess: true`.\n- `streamTransport` with the same attachment and `disableFileAccess: true` rejected with `EFILEACCESS`.\n- `jsonTransport` fetched a local HTTP listener despite `disableUrlAccess: true`.\n- `streamTransport` with the same URL and `disableUrlAccess: true` rejected with `EURLACCESS`.\n- The local URL proof used only `127.0.0.1` and did not contact external infrastructure.\n\nAffected version evidence and uncertainty:\n\n- Confirmed vulnerable: `nodemailer` 8.0.8 at commit `15138a84c543c20aa399218534cdbbfa2ea1ce55`.\n- Git history shows `jsonTransport` has existed since commit `d78b63b` (2017-02-09, \"Added test for json transport\"), and `disableFileAccess` appears in historical setup commit `6218b8d` (2017-01-31), but older versions were not dynamically tested during this audit.\n- Affected range is therefore recorded as unknown beyond the confirmed current version.\n- No patched version was identified in this checkout.\n\nSeverity rationale:\n\n- AV: The vulnerable library path is typically reached through an application-level message submission or rendering/queueing feature.\n- AC: A single message field using `path` or `href` triggers the bypass when `jsonTransport` is used.\n- PR: Conservative assumption that the attacker is a lower-privileged user of an application that accepts partially user-controlled message objects. Some deployments may expose this unauthenticated, but that was not assumed.\n- UI: No user interaction is required after the application accepts the message object.\n- S: The impact remains in the embedding application/library security scope.\n- C: Local file contents can be copied into the generated JSON output when the application later stores, logs, returns, or forwards that JSON.\n- I: The attacker can induce outbound HTTP requests to attacker-chosen or internal URLs from the application host when URL access was intended to be disabled.\n- A: No availability impact was demonstrated; the PoC used bounded local files and a localhost listener only.\n\nFinal self-review:\n\n- Reproduction evidence was generated locally from this checkout using only a temporary file under the OS temp directory and a local `127.0.0.1` HTTP listener.\n- The PoC included positive proof for file read and URL fetch, plus negative controls showing normal `streamTransport` rejects the same inputs with `EFILEACCESS` and `EURLACCESS`.\n- The proof is non-destructive, performs no external network traffic, and deletes its temporary fixture.\n- Reachability, package exposure, policy-enforcement bypass, same-root-cause variant, and false-positive controls were checked as described above.\n- The affected range is not overclaimed; only the current tested version is confirmed vulnerable.\n\n### PoC\n\nFrom a clean checkout of `nodemailer` at commit `15138a84c543c20aa399218534cdbbfa2ea1ce55`, run:\n\n```bash\nnode \u003c\u003c\u0027NODE\u0027\n\u0027use strict\u0027;\nconst fs = require(\u0027fs\u0027);\nconst os = require(\u0027os\u0027);\nconst path = require(\u0027path\u0027);\nconst http = require(\u0027http\u0027);\nconst nodemailer = require(\u0027./\u0027);\nconst marker = \u0027NM_JSON_BYPASS_\u0027 + Date.now();\nconst fixture = path.join(os.tmpdir(), \u0027nodemailer-json-bypass-\u0027 + process.pid + \u0027.txt\u0027);\nfs.writeFileSync(fixture, marker);\nfunction sendMail(transport, data) {\n  return new Promise((resolve, reject) =\u003e transport.sendMail(data, (err, info) =\u003e err ? reject(err) : resolve(info)));\n}\n(async () =\u003e {\n  const jsonTransport = nodemailer.createTransport({ jsonTransport: true, disableFileAccess: true, disableUrlAccess: true });\n  const jsonInfo = await sendMail(jsonTransport, {\n    from: \u0027sender@example.test\u0027,\n    to: \u0027recipient@example.test\u0027,\n    subject: \u0027json file bypass\u0027,\n    text: \u0027body\u0027,\n    attachments: [{ filename: \u0027secret.txt\u0027, path: fixture }]\n  });\n  const jsonMessage = JSON.parse(jsonInfo.message);\n  const decoded = Buffer.from(jsonMessage.attachments[0].content, \u0027base64\u0027).toString(\u0027utf8\u0027);\n  console.log(\u0027JSON_FILE_BYPASS=\u0027 + (decoded === marker));\n  console.log(\u0027JSON_FILE_CONTENT=\u0027 + decoded);\n\n  const streamTransport = nodemailer.createTransport({ streamTransport: true, buffer: true, disableFileAccess: true });\n  try {\n    await sendMail(streamTransport, {\n      from: \u0027sender@example.test\u0027,\n      to: \u0027recipient@example.test\u0027,\n      subject: \u0027stream control\u0027,\n      text: \u0027body\u0027,\n      attachments: [{ filename: \u0027secret.txt\u0027, path: fixture }]\n    });\n    console.log(\u0027STREAM_FILE_CONTROL=NO_ERROR\u0027);\n  } catch (err) {\n    console.log(\u0027STREAM_FILE_CONTROL=\u0027 + err.code);\n  }\n\n  const server = http.createServer((req, res) =\u003e {\n    console.log(\u0027LOCAL_HTTP_REQUEST=\u0027 + req.method + \u0027 \u0027 + req.url);\n    res.end(\u0027LOCAL_HTTP_MARKER\u0027);\n  });\n  await new Promise(resolve =\u003e server.listen(0, \u0027127.0.0.1\u0027, resolve));\n  const url = \u0027http://127.0.0.1:\u0027 + server.address().port + \u0027/private\u0027;\n  const jsonUrlInfo = await sendMail(jsonTransport, {\n    from: \u0027sender@example.test\u0027,\n    to: \u0027recipient@example.test\u0027,\n    subject: \u0027json url bypass\u0027,\n    text: { href: url }\n  });\n  const jsonUrlMessage = JSON.parse(jsonUrlInfo.message);\n  console.log(\u0027JSON_URL_BYPASS=\u0027 + (jsonUrlMessage.text === \u0027LOCAL_HTTP_MARKER\u0027));\n  const streamUrlTransport = nodemailer.createTransport({ streamTransport: true, buffer: true, disableUrlAccess: true });\n  try {\n    await sendMail(streamUrlTransport, {\n      from: \u0027sender@example.test\u0027,\n      to: \u0027recipient@example.test\u0027,\n      subject: \u0027stream url control\u0027,\n      text: { href: url }\n    });\n    console.log(\u0027STREAM_URL_CONTROL=NO_ERROR\u0027);\n  } catch (err) {\n    console.log(\u0027STREAM_URL_CONTROL=\u0027 + err.code);\n  }\n  server.close();\n  fs.unlinkSync(fixture);\n})().catch(err =\u003e { try { fs.unlinkSync(fixture); } catch (E) {} console.error(err \u0026\u0026 err.stack || err); process.exit(1); });\nNODE\n```\n\nObserved output in this environment:\n\n```text\nJSON_FILE_BYPASS=true\nJSON_FILE_CONTENT=NM_JSON_BYPASS_1779802076150\nSTREAM_FILE_CONTROL=EFILEACCESS\nLOCAL_HTTP_REQUEST=GET /private\nJSON_URL_BYPASS=true\nSTREAM_URL_CONTROL=EURLACCESS\n```\n\nExpected vulnerable output: `JSON_FILE_BYPASS=true`, the printed temporary marker in `JSON_FILE_CONTENT`, a `LOCAL_HTTP_REQUEST=GET /private` line, and `JSON_URL_BYPASS=true`. Expected negative/control output: `STREAM_FILE_CONTROL=EFILEACCESS` and `STREAM_URL_CONTROL=EURLACCESS`, showing the same policy flags work in the normal streaming transport.\n\nCleanup: the PoC removes its temporary fixture file before exiting and closes the local HTTP server.\n\n### Impact\n\nIf an application uses `jsonTransport` to safely serialize or queue partially user-controlled Nodemailer message objects while relying on `disableFileAccess` / `disableUrlAccess`, an attacker can bypass those protections. The file-read variant can copy local file contents into the generated JSON message output. The URL-fetch variant can force outbound HTTP requests from the application host to local or internal services despite URL access being disabled. The impact depends on what message fields the embedding application exposes and where it stores or returns the generated JSON, but the local PoC confirms both protected sink operations are reached.\n\n### Suggested remediation\n\nEnforce `disableFileAccess` and `disableUrlAccess` inside `shared.resolveContent()` or pass an explicit policy object into every pre-resolution call and reject protected `path` / `href` values before opening files or fetching URLs. Apply the same fix to `jsonTransport` normalization and the `attachDataUrls` pre-plugin path. Add regression tests showing `jsonTransport` returns `EFILEACCESS` / `EURLACCESS` for file and URL content when those flags are set, and that `attachDataUrls` cannot resolve object-form `html.path` / `html.href` when the corresponding access flag is disabled.",
  "id": "GHSA-wqvq-jvpq-h66f",
  "modified": "2026-06-15T17:35:10Z",
  "published": "2026-06-15T17:35:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-wqvq-jvpq-h66f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/nodemailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization"
}

GHSA-WQW9-GW94-Q362

Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31
VLAI
Details

Missing Authorization vulnerability in CreativeMotion Titan Anti-spam & Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Titan Anti-spam & Security: from n/a through 7.3.6.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T15:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in CreativeMotion Titan Anti-spam \u0026 Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Titan Anti-spam \u0026 Security: from n/a through 7.3.6.",
  "id": "GHSA-wqw9-gw94-q362",
  "modified": "2024-11-01T15:31:58Z",
  "published": "2024-11-01T15:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38777"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/anti-spam/wordpress-titan-anti-spam-security-plugin-7-3-5-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WQXM-MXC5-6F58

Vulnerability from github – Published: 2024-12-13 15:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in VillaTheme CURCY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CURCY: from n/a through 2.1.25.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-13T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in VillaTheme CURCY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CURCY: from n/a through 2.1.25.",
  "id": "GHSA-wqxm-mxc5-6f58",
  "modified": "2026-04-28T21:35:22Z",
  "published": "2024-12-13T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46796"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/woo-multi-currency/vulnerability/wordpress-curcy-plugin-2-1-25-unauthenticated-plugin-settings-change-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR37-9FM6-9669

Vulnerability from github – Published: 2025-04-04 18:31 – Updated: 2026-04-01 18:34
VLAI
Details

Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through 1.0.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-32217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-04T16:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through 1.0.8.",
  "id": "GHSA-wr37-9fm6-9669",
  "modified": "2026-04-01T18:34:31Z",
  "published": "2025-04-04T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32217"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.