CVE-2026-38728 Nodemailer CVE debrief

Who should care

Operators and developers running the Nodemailer smtp-server project, especially if it is exposed to untrusted SMTP traffic. Mail infrastructure teams, application owners embedding the server component, and responders responsible for service availability should prioritize this issue.

Technical summary

The record describes a network-accessible DoS condition in Nodemailer smtp-server before version 3.18.3. The affected path is identified as SMTPStream._write in lib/smtp-stream.js. NVD lists the weakness as CWE-400 and the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with availability impact without confidentiality or integrity impact. The references include the project repository and the v3.18.3 release tag, indicating the issue was addressed in that release.

Defensive priority

High. This is an unauthenticated remote availability issue with a CVSS 7.5 score and a clear fixed version referenced. If the component is internet-facing or receives untrusted SMTP input, remediation should be prioritized.

Recommended defensive actions

• Upgrade Nodemailer smtp-server to v3.18.3 or later.
• Inventory services and applications that depend on smtp-server to confirm exposure.
• If immediate upgrade is not possible, reduce exposure by restricting network access to the SMTP service.
• Monitor for service instability or repeated SMTP-related crashes while remediation is pending.
• Validate that deployment artifacts and lockfiles no longer pin vulnerable pre-3.18.3 versions.

Evidence notes

Source material supplied with the record identifies the issue as a DoS in Nodemailer smtp-server before v3.18.3, with the failure path in SMTPStream._write and lib/smtp-stream.js. The NVD item is marked vulnStatus: Deferred and cites CWE-400. References supplied with the record include a Bytecreator blog post, the nodemailer/smtp-server repository, and the v3.18.3 release tag. No KEV entry is listed in the supplied timeline.

Official resources