DEBIAN-CVE-2025-13033

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-13033

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13033.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-13033

Upstream

CVE-2025-13033

Published

2025-11-14T20:15:45.957Z

Modified

2026-01-10T14:07:38.888349Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

References

https://security-tracker.debian.org/tracker/CVE-2025-13033

Affected packages

Debian:11 / node-nodemailer

Package

Name: node-nodemailer
Purl: pkg:deb/debian/node-nodemailer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.4.17-3

6.6.1-1

6.6.3-1

6.6.5-1

6.7.0-1

6.7.0-2

6.7.1+~6.4.4-1

6.7.2+~6.4.4-1

6.7.3+~6.4.4-1

6.7.4+~6.4.4-1

6.7.5+~6.4.4-1

6.7.6+~6.4.4-1

6.7.7+~6.4.4-1

6.7.8+~6.4.5-1

6.7.8+~6.4.5-2

6.8.0+~6.4.6-1

6.9.4+~6.4.9-1

6.9.4+~6.4.9-2

6.9.4+~6.4.9-3

6.9.4+~6.4.9-4

6.9.13+~6.4.14-1

6.9.15+~6.4.16-1

6.9.16+~6.4.16-1

6.10.0+~6.4.17-1

7.*

7.0.5+~7.0.1-1

7.0.6+~7.0.1-1

7.0.9+~7.0.2-1

7.0.9+~7.0.2-2

7.0.10+~7.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13033.json"

Debian:12 / node-nodemailer

Package

Name: node-nodemailer
Purl: pkg:deb/debian/node-nodemailer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.8.0+~6.4.6-1

6.9.4+~6.4.9-1

6.9.4+~6.4.9-2

6.9.4+~6.4.9-3

6.9.4+~6.4.9-4

6.9.13+~6.4.14-1

6.9.15+~6.4.16-1

6.9.16+~6.4.16-1

6.10.0+~6.4.17-1

7.*

7.0.5+~7.0.1-1

7.0.6+~7.0.1-1

7.0.9+~7.0.2-1

7.0.9+~7.0.2-2

7.0.10+~7.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13033.json"

Debian:13 / node-nodemailer

Package

Name: node-nodemailer
Purl: pkg:deb/debian/node-nodemailer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.10.0+~6.4.17-1+deb13u1

Affected versions

6.*

6.10.0+~6.4.17-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13033.json"

Debian:14 / node-nodemailer

Package

Name: node-nodemailer
Purl: pkg:deb/debian/node-nodemailer?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.9+~7.0.2-1

Affected versions

6.*

6.10.0+~6.4.17-1

7.*

7.0.5+~7.0.1-1

7.0.6+~7.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-13033.json"