Description
MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 2.0.0-beta1, <= 2.1.0
References
Related Issues
- angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
- Angular Expressions - Remote Code Execution when using locals - CVE-2024-54152
- Remote Code Execution on click of <a> Link in markdown preview - CVE-2024-49362
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- Tags:
- npm
- maildev
Anything's wrong? Let us know Last updated on March 14, 2025