Security: @payloadcms/email-nodemailer pins vulnerable nodemailer@7.0.12 (GHSA-vvjj-xcjg-gr5g, GHSA-c7w3-x93f-qmm8) — see PR #16501

[jhb-dev]

Summary

@payloadcms/email-nodemailer@3.84.1 pins nodemailer: 7.0.12 as an exact dependency. That version is vulnerable to two known advisories. The patched range is nodemailer >= 8.0.5.

Note: PR #16501 (chore: bump nodemailer minimum version to 8.0.5) by @abarani already proposes exactly this fix and was opened 2026-05-06. It's awaiting review (mergeable_state: blocked). Filing this issue to document downstream impact and add visibility — reviewing/merging that PR would close this.

Downstream consumers can't safely fix this without forcing the upgrade through a package-manager override, which is brittle and easy to miss.

Vulnerability details

Severity	Advisory	Vulnerable	Patched
Moderate	GHSA-vvjj-xcjg-gr5g — SMTP command injection via CRLF in transport name (EHLO/HELO)	<= 8.0.4	>= 8.0.5
Low	GHSA-c7w3-x93f-qmm8 — SMTP command injection via unsanitized envelope.size	< 8.0.4	>= 8.0.4

Current pin

packages/email-nodemailer/package.json declares:

"dependencies": {
  "nodemailer": "7.0.12"  // exact pin
}

Reproduction

mkdir nodemailer-cve && cd nodemailer-cve
npm init -y
npm install @payloadcms/email-nodemailer@3.84.1
npm audit

Both advisories above appear.

Requested fix

Bump the declared dependency in @payloadcms/email-nodemailer from nodemailer: 7.0.12 to nodemailer: ^8.0.5 (or wider). The v7 → v8 surface area used by this adapter (transport creation + sendMail) is unchanged in practice.

PR #16501 already implements this — just needs a review.

Workaround used downstream

Pinned via pnpm override:

overrides:
  nodemailer@<8.0.5: ">=8.0.5"

Related

• OPEN PR chore(deps): bump nodemailer minimum version to 8.0.5 #16501 — chore: bump nodemailer minimum version to 8.0.5 — the proposed fix, awaiting review
• MERGED PR chore: bump nodemailer to 7.0.12 (security) #15062 — chore: bump nodemailer to 7.0.12 (security) — prior security bump (current pin)
• MERGED PR chore(email-nodemailer): bump nodemailer dependencies to latest #14121 — chore(email-nodemailer): bump nodemailer dependencies to latest
• MERGED PR chore(deps): bump nodemailer #8453 — chore(deps): bump nodemailer
• CLOSED CVE-2024-53900 - Upgrade Mongoose to 8.8.3 #9729 — CVE-2024-53900 - Upgrade Mongoose to 8.8.3 — same recurring "transitive dep is the latest CVE" pattern

Environment

• payload: 3.84.1
• @payloadcms/email-nodemailer: 3.84.1
• Node: 22+
• Package manager: pnpm 11

[jhb-dev]

Thanks @nehaaprasaad!

[jhb-dev]

Closed in #16664

[jacobsfletch]

For posterity:

• #16664 applies to 3.x
• #16653 applies to 4.x

[abarani]

@jhb-dev Thank you for drawing attention to this issue.

[github-actions]

This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.