CVE-2025-13033

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
redhatCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 14%
Debian logo
Debian Releases
Debian Product
Codename
node-nodemailer
bullseye
postponed
trixie
no-dsa
bookworm
no-dsa
forky
7.0.10+~7.0.2-1
fixed
sid
7.0.10+~7.0.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-nodemailer
questing
needs-triage
plucky
needs-triage
noble
needs-triage
jammy
needs-triage
focal
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-13033
https://bugzilla.redhat.com/show_bug.cgi?id=2402179
https://github.com/nodemailer/nodemailer
https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626
https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87