CVE

GHSA-jj37-3377-m6vv

Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

CVE

GHSA-jj37-3377-m6vv

Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references.

Original Description

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Related Resources

No items found.

References

https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87, https://nvd.nist.gov/vuln/detail/CVE-2025-13033, https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626, https://access.redhat.com/security/cve/CVE-2025-13033, https://bugzilla.redhat.com/show_bug.cgi?id=2402179, https://github.com/nodemailer/nodemailer

Severity

7.5

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.5

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

7.0.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-jj37-3377-m6vv