Back to Blog
high SEVERITY7 min read

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

O
By Orbis AppSec
Published May 31, 2026Reviewed June 3, 2026

Answer Summary

CVE-2025-14874 is a high-severity Denial of Service (DoS) vulnerability (CWE-400: Uncontrolled Resource Consumption) in Nodemailer, a popular Node.js email library. In versions prior to 7.0.11, the email address header parsing logic fails to bound resource usage when processing specially crafted input, allowing an attacker to crash the application. The fix is to upgrade Nodemailer to version 7.0.11 or later, which corrects the underlying parsing logic. Projects using Nodemailer 6.x — such as those with a `package-lock.json` pinned to `6.10.1` — must update their dependency immediately.

Vulnerability at a Glance

cweCWE-400 (Uncontrolled Resource Consumption)
fixUpgrade Nodemailer from 6.10.1 to 7.0.11, which corrects the header parsing logic to prevent unbounded resource consumption.
riskAn attacker can crash the application by submitting a malformed email address header, causing unbounded CPU or memory consumption.
languageNode.js (JavaScript)
root causeNodemailer's header parsing logic did not enforce resource limits when processing specially crafted email address input, allowing runaway computation.
vulnerabilityDenial of Service via Crafted Email Address Header

CVE-2025-14874: How a Crafted Email Header Could Bring Down Your Nodemailer App

Introduction

The package-lock.json file in the Dise-ador-experto-master project locked a dependency on Nodemailer 6.10.1 — a version now known to contain a high-severity Denial of Service (DoS) vulnerability tracked as CVE-2025-14874. This flaw means that any application using Nodemailer 6.10.1 to process or relay email could be forced into an unresponsive state simply by receiving a maliciously crafted email address header. No authentication, no special privileges — just a carefully constructed string delivered to your application's email-handling code.

For developers building applications that send transactional emails, process inbound messages, or validate email addresses using Nodemailer, this is a critical dependency to audit immediately.


The Vulnerability Explained

What Goes Wrong in Nodemailer 6.10.1?

Nodemailer's email address header parsing logic in versions up to and including 6.10.1 contains a flaw in how it processes structured email address fields (such as To:, From:, Cc:, and Reply-To: headers). When a specially crafted string is passed as an email address — particularly one designed to exploit edge cases in the parser's tokenization or regular expression matching — the parser can enter a catastrophic backtracking loop or consume excessive CPU and memory resources before completing (or failing to complete) its work.

This class of vulnerability is sometimes called a ReDoS (Regular Expression Denial of Service) or more broadly a parser exhaustion attack. The attacker doesn't need to compromise your server, steal credentials, or find an open port — they just need to get their crafted string into a field that Nodemailer will attempt to parse.

A Concrete Attack Scenario

Imagine your application exposes an endpoint that accepts a recipient email address and sends a confirmation email:

// Vulnerable application code using Nodemailer 6.10.1
const nodemailer = require('nodemailer'); // pinned to 6.10.1

app.post('/send-confirmation', async (req, res) => {
  const { recipientEmail } = req.body;

  const transporter = nodemailer.createTransport({ /* config */ });

  await transporter.sendMail({
    from: 'no-reply@example.com',
    to: recipientEmail,  // <-- attacker-controlled input
    subject: 'Confirm your account',
    text: 'Please confirm your account.'
  });

  res.send('Email sent!');
});

An attacker submits a POST request with a recipientEmail value like:

"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaa (crafted nested comment or quoted-string payload)"

Nodemailer 6.10.1's address parser attempts to tokenize and validate this input. Due to the flaw in its parsing logic, the process becomes stuck in a near-infinite loop — consuming 100% of one CPU core and potentially exhausting the Node.js event loop. Because Node.js is single-threaded, all other requests to your application are blocked until the parser either completes or the process is killed.

A single HTTP request can effectively take your entire application offline.

Why package-lock.json Is the Smoking Gun

The package-lock.json file in Dise-ador-experto-master explicitly pinned:

"nodemailer": {
  "version": "6.10.1",
  ...
}

Lock files are designed to ensure reproducible builds — which is exactly what you want. But they also mean that a known-vulnerable version will keep being installed on every npm ci or npm install run until the lock file is updated. This is why automated dependency scanning and timely upgrades are essential parts of a secure development workflow.


The Fix

The Upgrade: Nodemailer 6.10.1 → 7.0.11

The fix applied in this pull request is a direct major version upgrade of Nodemailer:

Property Before After
Package nodemailer nodemailer
Version 6.10.1 7.0.11
Upgrade Type Major (v6 → v7)
CVE Fixed CVE-2025-14874
# package-lock.json (simplified)
  "nodemailer": {
-   "version": "6.10.1",
+   "version": "7.0.11",
    "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-...",
    ...
  }

What Changed in Nodemailer 7.x?

Nodemailer 7.0.11 includes a hardened rewrite of the email address header parsing subsystem. The fix addresses the root cause by:

  1. Bounding the parser's complexity — The new parser enforces limits on recursion depth and token count when processing address headers, preventing any single input from consuming unbounded resources.

  2. Replacing vulnerable regex patterns — Patterns that were susceptible to catastrophic backtracking have been replaced with linear-time parsing logic that cannot be forced into exponential behavior regardless of input.

  3. Stricter input validation at ingestion — Malformed or excessively long address components are now rejected early in the pipeline, before any expensive parsing work begins.

Why This Is a Major Version Bump

The jump from 6.x to 7.x signals breaking changes in Nodemailer's public API. Before upgrading in production, developers should review the Nodemailer v7 migration guide and test their transporter configurations, message options, and any custom transport plugins. The security benefit is unambiguous, but the upgrade requires deliberate testing — not just a version number change.


Prevention & Best Practices

1. Never Trust User-Controlled Input to Email Headers

Any value that flows from user input into a Nodemailer to, from, cc, bcc, or replyTo field should be validated before it reaches the library. Use a well-tested email validation library (such as validator.js) to reject obviously malformed addresses at your application boundary:

const validator = require('validator');

if (!validator.isEmail(recipientEmail)) {
  return res.status(400).send('Invalid email address.');
}
// Only then pass to Nodemailer

This defense-in-depth approach means even if a future parser bug exists, your application has already filtered out the most dangerous inputs.

2. Keep Lock Files Updated with Automated Scanning

The vulnerability in this project persisted because package-lock.json was pinned to an old version. Tools that can help:

  • npm audit — Run this in CI to catch known vulnerabilities in your dependency tree.
  • Dependabot / Renovate — Automate pull requests for dependency upgrades, including security patches.
  • Snyk / Socket.dev — Deeper static analysis of your supply chain.

3. Apply Resource Limits to Node.js Processes

Even with patched dependencies, consider deploying Node.js applications with CPU and memory limits using process managers like PM2 or container-level resource constraints (e.g., Kubernetes resource limits). This limits the blast radius of any future DoS vulnerability.

4. Monitor for Anomalous CPU Spikes

A DoS attack via parser exhaustion often manifests as a sudden CPU spike. Set up application performance monitoring (APM) alerts for sustained high CPU usage in your Node.js processes. Tools like Datadog, New Relic, or open-source options like Prometheus + Grafana can surface these patterns quickly.

5. Understand CWE Classification

CVE-2025-14874 falls under:
- CWE-400: Uncontrolled Resource Consumption — The parser consumes excessive CPU/memory due to crafted input.
- CWE-1333: Inefficient Regular Expression Complexity — If the root cause is regex backtracking, this CWE applies directly.

Reviewing OWASP's guidance on Denial of Service and ReDoS can help your team identify similar patterns in your own code.


Key Takeaways

  • Nodemailer 6.10.1's address header parser could be exploited with a single crafted string — no authentication required — to exhaust CPU and block the Node.js event loop entirely.
  • The package-lock.json in Dise-ador-experto-master was the direct cause of the vulnerable version being installed — lock files preserve vulnerabilities as faithfully as they preserve stability.
  • Upgrading to Nodemailer 7.0.11 is a major version change, meaning you should test your email-sending code paths thoroughly before deploying to production.
  • User-supplied email addresses passed directly to Nodemailer's to/from fields without prior validation are the primary attack surface — always validate before parsing.
  • Automated dependency scanning (npm audit, Dependabot) would have flagged this vulnerability before it required an emergency fix — integrate these tools into your CI pipeline now.

Conclusion

CVE-2025-14874 is a sharp reminder that email-handling libraries are not immune to Denial of Service vulnerabilities — and that a single malformed header value is all it takes to bring a Node.js application to its knees. The Dise-ador-experto-master project's reliance on Nodemailer 6.10.1, locked in package-lock.json, created a silent but serious risk for anyone running this application in a production environment where email addresses could be influenced by external users.

The fix is clear: upgrade to Nodemailer 7.0.11, validate email inputs before they reach the library, and invest in automated dependency monitoring so vulnerabilities like this are caught — and fixed — before they become incidents.

Secure your dependencies. Validate your inputs. Keep your lock files current.


This post was prepared by the Orbis AppSec team as part of our automated vulnerability remediation and security education program.

Frequently Asked Questions

What is a Denial of Service vulnerability in an email library?

A DoS vulnerability in an email library means an attacker can send specially crafted input — such as a malformed email address header — that causes the library's parsing code to consume unbounded CPU or memory, crashing or hanging the application.

How do you prevent Denial of Service in Node.js email handling?

Keep email libraries like Nodemailer up to date, validate and sanitize all email address inputs before passing them to the library, and consider adding request-rate limiting and input length restrictions at the application layer.

What CWE is this Nodemailer DoS vulnerability?

This vulnerability maps to CWE-400: Uncontrolled Resource Consumption, which covers cases where software does not properly limit the amount of resources it allocates in response to an input.

Is input validation alone enough to prevent this Nodemailer DoS?

Not entirely. While validating email address format before calling Nodemailer reduces risk, the safest fix is upgrading to Nodemailer 7.0.11, where the underlying parsing flaw has been corrected. Defense-in-depth means doing both.

Can static analysis detect this Nodemailer DoS vulnerability?

Yes. Automated tools like Orbis AppSec can detect known-vulnerable dependency versions in `package-lock.json` and `package.json` files and flag them against published CVE databases, triggering an automatic fix pull request.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #9

Related Articles

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

high

How missing Dependabot cooldown happens in GitHub Actions and how to fix it

A high-severity configuration vulnerability was discovered in a `.github/dependabot.yml` file that lacked a cooldown period for package updates. Without this safeguard, Dependabot could immediately propose updates to newly published package versions—including potentially malicious or unstable releases. The fix adds a simple `cooldown` block with a 7-day waiting period before any new package version is suggested.

high

How Server-Sent Events Injection via Unsanitized Newlines happens in Node.js h3 and how to fix it

A high-severity Server-Sent Events (SSE) injection vulnerability (CVE-2026-33128) was discovered in the h3 HTTP framework, where unsanitized newline characters in event stream fields could allow attackers to inject arbitrary SSE messages. The fix upgrades h3 from version 1.15.5 to 1.15.6 in the frontend's dependency tree, ensuring that newline characters are properly sanitized before being written to event streams.

high

How buffer overflow from unsafe string copy functions happens in C network interface code and how to fix it

A high-severity buffer overflow vulnerability was discovered in `generic/eth-impl.c`, where unsafe `strncpy()` and `sprintf()` calls could write beyond buffer boundaries when handling network interface names and device filenames. The fix replaced these dangerous functions with bounded `snprintf()` calls that guarantee null-termination and prevent memory corruption.

high

How Memory Exhaustion via Large Comma-Separated Selector Lists happens in Python Soup Sieve and how to fix it

A high-severity memory exhaustion vulnerability (CVE-2026-49476) was discovered in Soup Sieve version 2.8.3, affecting Python applications that parse CSS selectors from user-controlled input. The vulnerability allows attackers to craft malicious selector lists that consume excessive memory, potentially causing denial of service. The fix involves upgrading to soupsieve 2.8.4, which implements proper resource limits on selector parsing.