Improper Validation of Syntactic Correctness of Input in nodemailer

CVE-2025-13033

nodemailer
org.webjars.npm:nodemailer

Medium

6.9/10

Summary

The email parsing library incorrectly handles quoted local-parts containing '@' in versions through 7.0.6. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

CWE-1286 - Improper Validation of Syntactic Correctness of Input

The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax.

References

Advisory
Release Note

Advisory Timeline

Published Nov 14, 2025

Improper Validation of Syntactic Correctness of Input in nodemailer

CVE-2025-13033

Summary

CWE-1286 - Improper Validation of Syntactic Correctness of Input

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS