CVE-2025-13033
Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
| CWE | CWE-1286 |
| Vendor | nodemailer |
| Product | nodemailer |
| Published | Nov 14, 2025 |
| Last Updated | Mar 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for nodemailer nodemailer
Be the first to know when new high vulnerabilities affecting nodemailer nodemailer are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
nodemailer / nodemailer
0 < 7.0.7
Red Hat / Red Hat Developer Hub 1.9
All versions affected Red Hat / Red Hat Advanced Cluster Management for Kubernetes 2
All versions affected Red Hat / Red Hat Ceph Storage 8
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3751 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-13033 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2402179 github.com: https://github.com/nodemailer/nodemailer github.com: https://github.com/nodemailer/nodemailer/commit/1150d99fba77280df2cfb1885c43df23109a8626 github.com: https://github.com/nodemailer/nodemailer/security/advisories/GHSA-mm7p-fcc7-pg87