Back to Blog
high SEVERITY6 min read

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Headers

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.

O
By orbisai0security
May 31, 2026
#nodemailer#denial-of-service#CVE-2025-14874#npm#email-security#nodejs#dependency-management

CVE-2025-14874: How a Crafted Email Header Could Take Down Your Nodemailer Service

Introduction

The Dise-ador-experto-master/package-lock.json file locks a specific version of Nodemailer — one of the most widely used Node.js libraries for sending email. In this project, Nodemailer 6.10.1 was pinned as a direct dependency, and that version carries a high-severity flaw: CVE-2025-14874, a denial-of-service vulnerability triggered by a specially crafted email address header.

This matters because Nodemailer sits at a critical junction in many web applications — it processes externally supplied data (email addresses, headers) and converts them into SMTP transactions. When that input-parsing logic has a flaw, attackers don't need to compromise your database or bypass authentication; they just need to send a bad email address.

The Vulnerability Explained

What Goes Wrong in Nodemailer 6.10.1

CVE-2025-14874 is rooted in how Nodemailer 6.x parses and interprets email address headers. The vulnerability has two related dimensions:

  1. Denial of Service via crafted headers — A malformed or specially constructed email address value passed to Nodemailer's address parser can cause the process to hang, consume excessive CPU/memory, or throw an unhandled exception that crashes the Node.js process.

  2. Interpretation Conflict leading to unintended domain delivery — The same parsing ambiguity that causes the DoS can also cause Nodemailer to misinterpret the destination domain of an email, potentially routing messages to an unintended mail server. This is the "Interpretation Conflict" referenced in the PR title.

The Vulnerable Dependency in Context

In package-lock.json, the locked version looked like this:

// BEFORE — Vulnerable version locked in package-lock.json
"nodemailer": {
  "version": "6.10.1",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz",
  "integrity": "sha512-...",
  "requires": {}
}

Nodemailer 6.x's address parsing code contains logic that handles edge cases in RFC 5321/5322 address formats. When it encounters certain crafted inputs — such as addresses with unusual quoting, escaped characters in the local part, or deeply nested comment structures — the parsing routine can enter a pathological state.

A Concrete Attack Scenario

Consider a web application built on this project that accepts a user-supplied "Reply-To" or "CC" email address and passes it directly (or with minimal sanitization) to a Nodemailer sendMail() call:

// Simplified example of vulnerable usage pattern
transporter.sendMail({
  from: 'noreply@example.com',
  to: userSuppliedEmail,      // <-- attacker-controlled input
  replyTo: userSuppliedReplyTo, // <-- attacker-controlled input
  subject: 'Welcome!',
  text: 'Thanks for signing up.'
});

An attacker could supply a crafted value such as:

"very.unusual.\"@\".unusual.com"@example.com

or a deeply nested comment like:

user(comment(nested(deeply(((((bad)))))@evil.com)@legit.com

When Nodemailer 6.10.1's address parser processes this input, it can:

  • Enter a near-infinite parsing loop, spiking CPU to 100% and making the Node.js event loop unresponsive — effectively a self-inflicted DoS on your mail service.
  • Misidentify the domain portion of the address due to the interpretation conflict, causing the email to be dispatched to evil.com instead of legit.com — a potential data exfiltration or phishing amplification vector.

In a high-traffic application where email sending is triggered by user actions (registrations, password resets, contact forms), a single malicious request could starve the event loop and degrade or crash the entire application.

The Fix

What Changed

The fix is a direct major version upgrade of Nodemailer from 6.10.1 to 7.0.7, applied to Dise-ador-experto-master/package-lock.json.

// BEFORE — Vulnerable
"nodemailer": {
  "version": "6.10.1",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz"
}

// AFTER — Fixed
"nodemailer": {
  "version": "7.0.7",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.7.tgz"
}

Why a Major Version Bump?

This is a major version upgrade (6.x → 7.x), which signals that the Nodemailer maintainers made breaking changes alongside the security fix. The 7.x branch rewrote the address parsing and header serialization logic to:

  1. Eliminate the pathological parsing paths that caused CPU exhaustion on crafted inputs.
  2. Enforce stricter RFC compliance in domain-part resolution, closing the interpretation conflict that allowed unintended domain routing.
  3. Add input validation guardrails earlier in the address processing pipeline, so malformed addresses fail fast with a clear error rather than triggering undefined behavior deep in the parser.

Because the fix required changes to the parsing API's behavior (not just an internal patch), the maintainers correctly incremented the major version — and that's why this fix required a direct major upgrade rather than a simple patch bump.

Migration Consideration

Since this is a major version upgrade, developers should review the Nodemailer 7.x changelog for any breaking API changes before deploying. Common areas to check:

  • Transport configuration options
  • DKIM signing API
  • OAuth2 token handling
  • Attachment streaming behavior

In most standard sendMail() usage patterns, the upgrade is drop-in compatible.

Prevention & Best Practices

1. Validate Email Addresses Before Passing to Nodemailer

Never pass raw user input directly to sendMail(). Use a well-tested validation library as a first line of defense:

const { validate } = require('email-validator'); // or use zod, joi, etc.

if (!validate(userSuppliedEmail)) {
  throw new Error('Invalid email address provided.');
}

transporter.sendMail({ to: userSuppliedEmail, ... });

This won't replace patching Nodemailer, but it reduces the attack surface significantly.

2. Keep Dependency Lock Files Audited

The vulnerability lived in package-lock.json — the file that pins exact transitive and direct dependency versions. Lock files are security artifacts, not just reproducibility tools. Regularly audit them:

# Check for known vulnerabilities in your lock file
npm audit

# Automatically fix fixable vulnerabilities
npm audit fix

# For major version upgrades (like this one), use:
npm audit fix --force

3. Use Automated Dependency Scanning in CI/CD

Integrate tools like Dependabot, Snyk, or Socket.dev into your pipeline so vulnerabilities like CVE-2025-14874 are caught and auto-patched before they reach production.

4. Apply the Principle of Least Privilege to Email Headers

Only pass headers and fields to Nodemailer that your application explicitly constructs. Avoid forwarding arbitrary user-supplied strings as header values:

// RISKY — forwarding user input as a header value
headers: { 'X-Custom': req.body.customHeader }

// SAFER — whitelist specific known-good values
headers: { 'X-Source': 'registration-flow' }

5. Relevant Security Standards

  • CWE-400: Uncontrolled Resource Consumption (the DoS aspect)
  • CWE-116: Improper Encoding or Escaping of Output (the interpretation conflict aspect)
  • OWASP A06:2021 – Vulnerable and Outdated Components
  • OWASP A03:2021 – Injection (for the domain misrouting vector)

Key Takeaways

  • CVE-2025-14874 is exploitable through user-controlled email address inputs — any endpoint that accepts an email address and passes it to Nodemailer 6.10.1 is a potential DoS trigger.
  • The package-lock.json in Dise-ador-experto-master was pinning the vulnerable 6.10.1 version, meaning even an npm install on a fresh clone would have installed the vulnerable code.
  • Upgrading to Nodemailer 7.0.7 fixes both the DoS and the interpretation conflict — the two issues share a root cause in the address parsing logic.
  • A major version bump was necessary because the fix changed parsing behavior, not just an internal implementation detail — review the 7.x changelog before deploying.
  • Input validation at the application layer is a defense-in-depth measure, but it does not replace patching the underlying library vulnerability.

Conclusion

CVE-2025-14874 is a reminder that even mature, widely trusted libraries like Nodemailer can harbor dangerous edge cases in their input-parsing logic. In this case, the combination of a denial-of-service risk and a potential email misrouting flaw made the vulnerability high severity — and the fact that it was locked in package-lock.json at version 6.10.1 meant it would persist silently until explicitly addressed.

The automated fix — upgrading Nodemailer from 6.10.1 to 7.0.7 in Dise-ador-experto-master/package-lock.json — is the right call. Pair it with input validation on email address fields and automated dependency scanning in your CI pipeline, and you've turned a potential service outage into a non-event.

Stay current on your dependencies. Your email service will thank you.

This post is part of Orbis AppSec's automated vulnerability fix series. Fixes are generated and applied continuously to keep your codebase secure.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #11
View Repository →

Related Articles

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

high

Authorization Bypass in gRPC-Go HTTP/2 Path Validation (CVE-2026-33186)

A critical authorization bypass vulnerability (CVE-2026-33186) in `google.golang.org/grpc` v1.79.1 allowed attackers to circumvent gRPC authorization policies through malformed HTTP/2 path values. The fix upgrades the dependency in `src/go/go.mod` from v1.79.1 to v1.79.3, closing a path validation gap in the `grpc-go/authz` middleware that could have exposed protected RPC endpoints to unauthorized callers.

high

CVE-2026-41676: OpenSSL Bindings Vulnerability Fixed in Rust SDK Cargo.lock

A high-severity vulnerability (CVE-2026-41676) was discovered in the `rust-openssl` crate (version 0.10.73) used in the `apps/rust-sdk` component, as flagged by the Trivy scanner in `Cargo.lock`. The fix upgrades the `openssl` crate from `0.10.73` to `0.10.80` and `openssl-sys` from `0.9.109` to `0.9.116`, closing an exploitable attack surface in production code that handles user-influenced input. Because the Rust SDK sits in the production codebase, any attacker able to reach the OpenSSL code p