Category

Email Security

Security vulnerabilities and automated fixes for email security issues

5 posts found

critical7 min

How unsafe realloc() and memcpy() causes buffer overflow in C email parsing and how to fix it

A critical vulnerability in `email/receive.cpp` allowed attackers to trigger a buffer overflow by sending crafted emails with large payloads. The `writefunc()` callback failed to validate that `realloc()` succeeded before writing to the reallocated pointer, risking NULL pointer dereference and potential code execution. The fix adds a simple bounds check that validates the realloc result before use.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
Jun 3, 2026
high6 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Headers

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.

#nodemailer#denial-of-service#CVE-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

#nodemailer#denial-of-service#cve-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

#nodemailer#denial-of-service#cve-2025-14874+4 more
O
orbisai0security
May 31, 2026
high7 min

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

#cve-2025-14874#nodemailer#denial-of-service+4 more
O
orbisai0security
May 31, 2026