Back to Blog
high SEVERITY7 min read

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

O
By Orbis AppSec
Published May 31, 2026Reviewed June 3, 2026

Answer Summary

CVE-2025-14874 is a denial-of-service (DoS) vulnerability (CWE-400: Uncontrolled Resource Consumption) in Nodemailer versions prior to 7.0.0, affecting Node.js applications that send or process email. An attacker who can supply a specially crafted email address header can cause the Nodemailer address parser to hang or crash the process. The fix is a major-version upgrade from Nodemailer 6.10.1 to 7.0.7, which rewrites the vulnerable parsing logic to handle adversarial input safely.

Vulnerability at a Glance

cweCWE-400 (Uncontrolled Resource Consumption)
fixUpgrade Nodemailer from 6.10.1 to 7.0.7 in package-lock.json
riskApplication hang or crash when processing a malicious email address
languageNode.js (JavaScript)
root causeNodemailer 6.x address parser enters catastrophic backtracking or infinite loop on certain crafted inputs
vulnerabilityDenial-of-Service via crafted email address header

CVE-2025-14874: How a Crafted Email Header Could Bring Down Your Nodemailer App

Introduction

The package-lock.json file in Dise-ador-experto-master locked the project to Nodemailer 6.10.1 — a version now known to harbor a high-severity denial-of-service vulnerability tracked as CVE-2025-14874. This isn't a theoretical risk: any endpoint in the application that accepts user-supplied email addresses and passes them through Nodemailer's address parsing logic becomes a potential crash vector. An attacker who knows (or guesses) that the backend uses Nodemailer can send a single malformed request and potentially take down the mail-sending functionality — or worse, the entire Node.js process.

This post breaks down exactly what went wrong, how the vulnerability works, and what the upgrade from 6.10.1 → 7.0.7 actually fixes.


The Vulnerability Explained

What Nodemailer Does With Email Headers

Nodemailer is one of the most widely used Node.js libraries for sending email. When you call something like:

transporter.sendMail({
  from: '"Sender" <sender@example.com>',
  to: userSuppliedEmailAddress,
  subject: 'Hello',
  text: 'Message body'
});

Nodemailer internally parses the to, from, cc, and bcc fields through its address parser. This parser handles RFC 5321/5322 address formats, including edge cases like display names, quoted strings, group syntax, and encoded words.

The DoS Trigger: Crafted Address Headers

CVE-2025-14874 specifically targets this address parsing stage. In Nodemailer 6.x, the address parser contains logic that can enter a pathological state when processing certain crafted inputs — specifically malformed or adversarially structured email address headers. The parser may:

  • Enter a near-infinite loop processing a deeply nested or malformed address group
  • Consume unbounded CPU cycles on a single input string
  • Block the Node.js event loop, causing all other requests to queue indefinitely

Because Node.js runs on a single-threaded event loop, a single blocked synchronous operation freezes the entire server. This is what makes this class of vulnerability so dangerous in Node.js applications.

A Concrete Attack Scenario

Consider a contact form in the Dise-ador-experto-master application that accepts a user's email address and passes it directly to Nodemailer:

// Hypothetical vulnerable handler
app.post('/contact', async (req, res) => {
  const { userEmail, message } = req.body;

  await transporter.sendMail({
    from: 'noreply@app.com',
    to: userEmail,       // ← user-controlled input fed to Nodemailer 6.10.1
    subject: 'We received your message',
    text: message
  });

  res.json({ success: true });
});

An attacker sends a POST request with a payload like:

userEmail: "a(((((((((((((((((((((((((((((((((((((((((((((((((((b"

Or a deeply nested RFC 5322 group address:

userEmail: "Group:(Group:(Group:(Group:(Group: a@b.com)))));"

Nodemailer 6.10.1's parser attempts to fully resolve this structure synchronously. The event loop stalls. All subsequent HTTP requests to the server pile up unanswered. From the outside, the application appears to have gone offline — a classic application-layer denial of service.

Why Version 6.10.1 Is Specifically Vulnerable

The vulnerability exists in the address parsing subsystem of the 6.x release line. The 6.x parser was not hardened against adversarial inputs — it lacked depth limits, iteration caps, or timeout guards on the parsing routines. The 7.x rewrite addressed these architectural weaknesses directly.


The Fix

What Changed: 6.10.1 → 7.0.7

This was a direct major version upgrade — not a patch or minor bump. That distinction matters: the Nodemailer maintainers needed to make breaking changes to fully resolve the underlying architectural issues in the address parser.

Before (vulnerable):

// package-lock.json (excerpt)
"nodemailer": {
  "version": "6.10.1",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz",
  ...
}

After (fixed):

// package-lock.json (excerpt)
"nodemailer": {
  "version": "7.0.7",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.7.tgz",
  ...
}

What Nodemailer 7.x Actually Fixed

The 7.x release line introduced several hardening measures in the address parser:

  1. Input length guards: The parser now enforces maximum input length limits before beginning tokenization, rejecting pathologically long address strings early.

  2. Recursion depth limits: Nested group address parsing now has explicit depth caps, preventing stack exhaustion and near-infinite loops on deeply nested structures.

  3. Iteration caps: Loop constructs in the parser are bounded, ensuring that even malformed inputs cannot cause unbounded CPU consumption.

  4. Fail-fast error handling: Rather than attempting to "best-effort" parse malformed addresses (which 6.x did), 7.x throws structured errors early, returning control to the event loop promptly.

Why a Major Version Bump Was Required

The 6.x → 7.x jump introduced breaking API changes alongside the security fixes. If your application uses Nodemailer 6.x, you may need to audit for:

  • Changes to transport configuration options
  • Updated callback/Promise API behavior
  • Modified SMTP connection pooling defaults

Review the Nodemailer 7.x migration guide before upgrading in production to ensure compatibility.


Prevention & Best Practices

1. Validate Email Addresses Before Passing to Nodemailer

Never pass raw user input directly to sendMail(). Use a validation library to reject malformed addresses at the boundary:

const { validate } = require('email-validator'); // or use zod, joi, etc.

app.post('/contact', async (req, res) => {
  const { userEmail } = req.body;

  if (!validate(userEmail)) {
    return res.status(400).json({ error: 'Invalid email address' });
  }

  // Now safe to pass to Nodemailer
  await transporter.sendMail({ to: userEmail, ... });
});

2. Apply Input Length Limits

Even with validation, enforce a maximum length on email address inputs at the HTTP layer:

const MAX_EMAIL_LENGTH = 254; // RFC 5321 maximum

if (userEmail.length > MAX_EMAIL_LENGTH) {
  return res.status(400).json({ error: 'Email address too long' });
}

3. Keep Dependencies Pinned to Patched Versions

The package-lock.json in Dise-ador-experto-master was pinned to 6.10.1. Automated dependency scanning tools (like the one that generated this fix) are essential for catching these situations:

  • npm audit: Run npm audit in CI/CD pipelines
  • Dependabot / Renovate: Automate dependency update PRs
  • Orbis AppSec: Continuous vulnerability monitoring with automated fixes

4. Wrap Email Sending in Timeouts

As a defense-in-depth measure, wrap Nodemailer calls in a timeout to limit blast radius if a DoS condition is triggered:

const sendWithTimeout = (mailOptions, timeoutMs = 5000) => {
  return Promise.race([
    transporter.sendMail(mailOptions),
    new Promise((_, reject) =>
      setTimeout(() => reject(new Error('Mail send timeout')), timeoutMs)
    )
  ]);
};

5. Reference Standards

  • CWE-400: Uncontrolled Resource Consumption (the CWE category for this DoS class)
  • OWASP Top 10 A05:2021 – Security Misconfiguration (outdated/vulnerable components)
  • OWASP Dependency-Check: Tool for identifying vulnerable dependencies
  • RFC 5321/5322: The email address format standards that parsers must safely implement

Key Takeaways

  • User-controlled email addresses fed to Nodemailer 6.10.1 are a DoS vector: Any endpoint in Dise-ador-experto-master that accepts email input and passes it to transporter.sendMail() was potentially exploitable with a single crafted request.

  • The fix required a major version upgrade (6.x → 7.x): The address parser in Nodemailer 6.x had architectural weaknesses that couldn't be patched in-place — the 7.x rewrite was the correct solution.

  • package-lock.json pinning can freeze you on vulnerable versions: The lock file held the project at 6.10.1 indefinitely; automated scanning is what surfaced this risk.

  • Synchronous parsing on the Node.js event loop amplifies DoS impact: Because Nodemailer's parser runs synchronously, a stalled parse blocks all concurrent requests — one malicious request can affect all users.

  • Validate email addresses before library consumption, not after: Input validation at the application boundary (before calling Nodemailer) provides defense-in-depth even if the library has parser bugs.


Conclusion

CVE-2025-14874 is a reminder that even mature, widely-trusted libraries like Nodemailer can harbor serious vulnerabilities in their input-handling logic. The Dise-ador-experto-master project was running Nodemailer 6.10.1 — a version whose address parser could be weaponized with a single crafted email header to stall the Node.js event loop and deny service to all users.

The fix is straightforward in outcome: upgrade to Nodemailer 7.0.7. But the lesson is broader — every user-supplied string that flows into a parsing library is a potential DoS vector, and keeping dependencies current is a non-negotiable part of secure application maintenance.

If your Node.js application sends email, check your package-lock.json today. If you see nodemailer at any 6.x version, this fix applies to you.


This vulnerability was identified and remediated using automated security scanning. For continuous dependency vulnerability monitoring and automated fixes, visit Orbis AppSec.

Frequently Asked Questions

What is CVE-2025-14874?

CVE-2025-14874 is a high-severity denial-of-service vulnerability in Nodemailer versions before 7.0.0. A specially crafted email address header can cause the address parser to hang or crash the Node.js process, making the application unavailable.

How do you prevent Nodemailer DoS in Node.js?

Upgrade Nodemailer to version 7.0.0 or later (7.0.7 is the recommended safe version as of this writing). Additionally, validate and sanitize email address inputs before passing them to Nodemailer, and consider rate-limiting email-sending endpoints.

What CWE is this Nodemailer vulnerability?

CWE-400: Uncontrolled Resource Consumption. The vulnerable parser consumes unbounded CPU or memory when processing adversarial input, leading to a denial of service.

Is input validation enough to prevent this Nodemailer DoS?

Input validation helps reduce risk but is not sufficient on its own. The root cause is in Nodemailer's internal address parsing logic, so upgrading to 7.0.7 is the definitive fix. Validation is a useful defense-in-depth layer.

Can static analysis detect this Nodemailer vulnerability?

Yes. Automated dependency scanning tools (such as npm audit, Dependabot, or Orbis AppSec) can detect the use of Nodemailer <7.0.0 and flag it as vulnerable. Static analysis alone won't find the parser bug, but SCA (Software Composition Analysis) will.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #8

Related Articles

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Headers

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

high

How missing Dependabot cooldown happens in GitHub Actions and how to fix it

A high-severity configuration vulnerability was discovered in a `.github/dependabot.yml` file that lacked a cooldown period for package updates. Without this safeguard, Dependabot could immediately propose updates to newly published package versions—including potentially malicious or unstable releases. The fix adds a simple `cooldown` block with a 7-day waiting period before any new package version is suggested.

high

How Server-Sent Events Injection via Unsanitized Newlines happens in Node.js h3 and how to fix it

A high-severity Server-Sent Events (SSE) injection vulnerability (CVE-2026-33128) was discovered in the h3 HTTP framework, where unsanitized newline characters in event stream fields could allow attackers to inject arbitrary SSE messages. The fix upgrades h3 from version 1.15.5 to 1.15.6 in the frontend's dependency tree, ensuring that newline characters are properly sanitized before being written to event streams.

high

How buffer overflow from unsafe string copy functions happens in C network interface code and how to fix it

A high-severity buffer overflow vulnerability was discovered in `generic/eth-impl.c`, where unsafe `strncpy()` and `sprintf()` calls could write beyond buffer boundaries when handling network interface names and device filenames. The fix replaced these dangerous functions with bounded `snprintf()` calls that guarantee null-termination and prevent memory corruption.