Back to Blog
high SEVERITY6 min read

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Headers

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer 6.10.1, where an attacker could craft a malicious email address header to crash or hang the mail-sending process. The fix involved a direct major version upgrade from 6.10.1 to 7.0.7 in the project's `package-lock.json`, closing the attack vector entirely. Applications relying on Nodemailer for transactional or user-triggered email are at risk until this upgrade is applied.

O
By Orbis AppSec
Published May 31, 2026Reviewed June 3, 2026

Answer Summary

CVE-2025-14874 is a high-severity Denial-of-Service (DoS) vulnerability (CWE-400: Uncontrolled Resource Consumption) in Nodemailer versions up to and including 6.10.1 for Node.js. An attacker can craft a malicious email address header—such as a deeply nested or pathologically long address string—that causes Nodemailer's internal address parser to hang or exhaust CPU/memory, crashing the mail-sending process. The fix is a major version upgrade from Nodemailer 6.10.1 to 7.0.7, which replaces the vulnerable address-parsing code path. All Node.js applications that pass user-controlled data into Nodemailer's recipient or sender fields should apply this upgrade immediately.

Vulnerability at a Glance

cweCWE-400 (Uncontrolled Resource Consumption)
fixUpgrade Nodemailer from 6.10.1 to 7.0.7 in package-lock.json
riskAttacker can crash or hang the mail-sending process, causing application unavailability
languageJavaScript / Node.js
root causeNodemailer 6.x address parser lacks protection against pathological input, leading to catastrophic backtracking or unbounded resource consumption
vulnerabilityDenial-of-Service via Crafted Email Address Header

CVE-2025-14874: How a Crafted Email Header Could Take Down Your Nodemailer Service

Introduction

The Dise-ador-experto-master/package-lock.json file locks a specific version of Nodemailer — one of the most widely used Node.js libraries for sending email. In this project, Nodemailer 6.10.1 was pinned as a direct dependency, and that version carries a high-severity flaw: CVE-2025-14874, a denial-of-service vulnerability triggered by a specially crafted email address header.

This matters because Nodemailer sits at a critical junction in many web applications — it processes externally supplied data (email addresses, headers) and converts them into SMTP transactions. When that input-parsing logic has a flaw, attackers don't need to compromise your database or bypass authentication; they just need to send a bad email address.


The Vulnerability Explained

What Goes Wrong in Nodemailer 6.10.1

CVE-2025-14874 is rooted in how Nodemailer 6.x parses and interprets email address headers. The vulnerability has two related dimensions:

  1. Denial of Service via crafted headers — A malformed or specially constructed email address value passed to Nodemailer's address parser can cause the process to hang, consume excessive CPU/memory, or throw an unhandled exception that crashes the Node.js process.

  2. Interpretation Conflict leading to unintended domain delivery — The same parsing ambiguity that causes the DoS can also cause Nodemailer to misinterpret the destination domain of an email, potentially routing messages to an unintended mail server. This is the "Interpretation Conflict" referenced in the PR title.

The Vulnerable Dependency in Context

In package-lock.json, the locked version looked like this:

// BEFORE — Vulnerable version locked in package-lock.json
"nodemailer": {
  "version": "6.10.1",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz",
  "integrity": "sha512-...",
  "requires": {}
}

Nodemailer 6.x's address parsing code contains logic that handles edge cases in RFC 5321/5322 address formats. When it encounters certain crafted inputs — such as addresses with unusual quoting, escaped characters in the local part, or deeply nested comment structures — the parsing routine can enter a pathological state.

A Concrete Attack Scenario

Consider a web application built on this project that accepts a user-supplied "Reply-To" or "CC" email address and passes it directly (or with minimal sanitization) to a Nodemailer sendMail() call:

// Simplified example of vulnerable usage pattern
transporter.sendMail({
  from: 'noreply@example.com',
  to: userSuppliedEmail,      // <-- attacker-controlled input
  replyTo: userSuppliedReplyTo, // <-- attacker-controlled input
  subject: 'Welcome!',
  text: 'Thanks for signing up.'
});

An attacker could supply a crafted value such as:

"very.unusual.\"@\".unusual.com"@example.com

or a deeply nested comment like:

user(comment(nested(deeply(((((bad)))))@evil.com)@legit.com

When Nodemailer 6.10.1's address parser processes this input, it can:

  • Enter a near-infinite parsing loop, spiking CPU to 100% and making the Node.js event loop unresponsive — effectively a self-inflicted DoS on your mail service.
  • Misidentify the domain portion of the address due to the interpretation conflict, causing the email to be dispatched to evil.com instead of legit.com — a potential data exfiltration or phishing amplification vector.

In a high-traffic application where email sending is triggered by user actions (registrations, password resets, contact forms), a single malicious request could starve the event loop and degrade or crash the entire application.


The Fix

What Changed

The fix is a direct major version upgrade of Nodemailer from 6.10.1 to 7.0.7, applied to Dise-ador-experto-master/package-lock.json.

// BEFORE — Vulnerable
"nodemailer": {
  "version": "6.10.1",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.1.tgz"
}

// AFTER — Fixed
"nodemailer": {
  "version": "7.0.7",
  "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-7.0.7.tgz"
}

Why a Major Version Bump?

This is a major version upgrade (6.x → 7.x), which signals that the Nodemailer maintainers made breaking changes alongside the security fix. The 7.x branch rewrote the address parsing and header serialization logic to:

  1. Eliminate the pathological parsing paths that caused CPU exhaustion on crafted inputs.
  2. Enforce stricter RFC compliance in domain-part resolution, closing the interpretation conflict that allowed unintended domain routing.
  3. Add input validation guardrails earlier in the address processing pipeline, so malformed addresses fail fast with a clear error rather than triggering undefined behavior deep in the parser.

Because the fix required changes to the parsing API's behavior (not just an internal patch), the maintainers correctly incremented the major version — and that's why this fix required a direct major upgrade rather than a simple patch bump.

Migration Consideration

Since this is a major version upgrade, developers should review the Nodemailer 7.x changelog for any breaking API changes before deploying. Common areas to check:

  • Transport configuration options
  • DKIM signing API
  • OAuth2 token handling
  • Attachment streaming behavior

In most standard sendMail() usage patterns, the upgrade is drop-in compatible.


Prevention & Best Practices

1. Validate Email Addresses Before Passing to Nodemailer

Never pass raw user input directly to sendMail(). Use a well-tested validation library as a first line of defense:

const { validate } = require('email-validator'); // or use zod, joi, etc.

if (!validate(userSuppliedEmail)) {
  throw new Error('Invalid email address provided.');
}

transporter.sendMail({ to: userSuppliedEmail, ... });

This won't replace patching Nodemailer, but it reduces the attack surface significantly.

2. Keep Dependency Lock Files Audited

The vulnerability lived in package-lock.json — the file that pins exact transitive and direct dependency versions. Lock files are security artifacts, not just reproducibility tools. Regularly audit them:

# Check for known vulnerabilities in your lock file
npm audit

# Automatically fix fixable vulnerabilities
npm audit fix

# For major version upgrades (like this one), use:
npm audit fix --force

3. Use Automated Dependency Scanning in CI/CD

Integrate tools like Dependabot, Snyk, or Socket.dev into your pipeline so vulnerabilities like CVE-2025-14874 are caught and auto-patched before they reach production.

4. Apply the Principle of Least Privilege to Email Headers

Only pass headers and fields to Nodemailer that your application explicitly constructs. Avoid forwarding arbitrary user-supplied strings as header values:

// RISKY — forwarding user input as a header value
headers: { 'X-Custom': req.body.customHeader }

// SAFER — whitelist specific known-good values
headers: { 'X-Source': 'registration-flow' }

5. Relevant Security Standards

  • CWE-400: Uncontrolled Resource Consumption (the DoS aspect)
  • CWE-116: Improper Encoding or Escaping of Output (the interpretation conflict aspect)
  • OWASP A06:2021 – Vulnerable and Outdated Components
  • OWASP A03:2021 – Injection (for the domain misrouting vector)

Key Takeaways

  • CVE-2025-14874 is exploitable through user-controlled email address inputs — any endpoint that accepts an email address and passes it to Nodemailer 6.10.1 is a potential DoS trigger.
  • The package-lock.json in Dise-ador-experto-master was pinning the vulnerable 6.10.1 version, meaning even an npm install on a fresh clone would have installed the vulnerable code.
  • Upgrading to Nodemailer 7.0.7 fixes both the DoS and the interpretation conflict — the two issues share a root cause in the address parsing logic.
  • A major version bump was necessary because the fix changed parsing behavior, not just an internal implementation detail — review the 7.x changelog before deploying.
  • Input validation at the application layer is a defense-in-depth measure, but it does not replace patching the underlying library vulnerability.

Conclusion

CVE-2025-14874 is a reminder that even mature, widely trusted libraries like Nodemailer can harbor dangerous edge cases in their input-parsing logic. In this case, the combination of a denial-of-service risk and a potential email misrouting flaw made the vulnerability high severity — and the fact that it was locked in package-lock.json at version 6.10.1 meant it would persist silently until explicitly addressed.

The automated fix — upgrading Nodemailer from 6.10.1 to 7.0.7 in Dise-ador-experto-master/package-lock.json — is the right call. Pair it with input validation on email address fields and automated dependency scanning in your CI pipeline, and you've turned a potential service outage into a non-event.

Stay current on your dependencies. Your email service will thank you.


This post is part of Orbis AppSec's automated vulnerability fix series. Fixes are generated and applied continuously to keep your codebase secure.

Frequently Asked Questions

What is a denial-of-service via crafted email address headers?

It is an attack where a malformed or pathologically complex email address string is supplied to a mail library's address parser, causing the parser to consume excessive CPU or memory—or loop indefinitely—until the process crashes or becomes unresponsive.

How do you prevent this type of DoS in Node.js email sending?

Upgrade Nodemailer to version 7.0.7 or later, validate and sanitize all user-supplied email address strings before passing them to Nodemailer, and consider rate-limiting or allowlisting email domains on user-facing forms.

What CWE is associated with this vulnerability?

CWE-400: Uncontrolled Resource Consumption (also sometimes categorized under CWE-1333: Inefficient Regular Expression Complexity for regex-based parsers).

Is input validation alone enough to prevent this vulnerability in Nodemailer 6.x?

Not reliably. While validating email addresses before passing them to Nodemailer reduces risk, the safest remediation is upgrading to 7.0.7, because the vulnerable parsing logic sits inside the library itself and can be triggered by edge cases that simple regex validation might miss.

Can static analysis detect this type of vulnerability?

Static analysis tools can flag outdated dependency versions with known CVEs (e.g., via npm audit, Dependabot, or Orbis AppSec), but detecting the precise trigger condition requires dynamic analysis or fuzzing of the address parser. Dependency scanning is the most reliable automated detection method here.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #11

Related Articles

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

A high-severity denial-of-service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.0, where a specially crafted email address header could cause the application to hang or crash. The fix involved upgrading Nodemailer from version 6.10.1 to 7.0.7 in the `Dise-ador-experto-master` project's `package-lock.json`. This major version upgrade closes the attack surface and ensures email processing remains stable under adversarial input.

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header Parsing

A high-severity Denial of Service vulnerability (CVE-2025-14874) was discovered in Nodemailer versions prior to 7.0.11, where a specially crafted email address header could cause the application to hang or crash. The fix involved a major version bump from Nodemailer 6.10.1 to 7.0.11 in the `Dise-ador-experto-master/package-lock.json` dependency file. Left unpatched, this vulnerability could allow any unauthenticated attacker to disrupt email-sending functionality and potentially take down the en

high

CVE-2025-14874: Nodemailer DoS via Crafted Email Address Header

CVE-2025-14874 is a high-severity Denial of Service vulnerability in Nodemailer that allows an attacker to crash an application by sending a specially crafted email address header. The vulnerability existed in Nodemailer versions prior to 7.0.11 and was present in the `Dise-ador-experto-master` project's `package-lock.json` dependency on version 6.10.1. Upgrading to Nodemailer 7.0.11 resolves the issue by fixing the underlying header parsing logic that could be exploited to cause unbounded resou

high

How missing Dependabot cooldown happens in GitHub Actions and how to fix it

A high-severity configuration vulnerability was discovered in a `.github/dependabot.yml` file that lacked a cooldown period for package updates. Without this safeguard, Dependabot could immediately propose updates to newly published package versions—including potentially malicious or unstable releases. The fix adds a simple `cooldown` block with a 7-day waiting period before any new package version is suggested.

high

How Server-Sent Events Injection via Unsanitized Newlines happens in Node.js h3 and how to fix it

A high-severity Server-Sent Events (SSE) injection vulnerability (CVE-2026-33128) was discovered in the h3 HTTP framework, where unsanitized newline characters in event stream fields could allow attackers to inject arbitrary SSE messages. The fix upgrades h3 from version 1.15.5 to 1.15.6 in the frontend's dependency tree, ensuring that newline characters are properly sanitized before being written to event streams.

high

How buffer overflow from unsafe string copy functions happens in C network interface code and how to fix it

A high-severity buffer overflow vulnerability was discovered in `generic/eth-impl.c`, where unsafe `strncpy()` and `sprintf()` calls could write beyond buffer boundaries when handling network interface names and device filenames. The fix replaced these dangerous functions with bounded `snprintf()` calls that guarantee null-termination and prevent memory corruption.