nodemailer-6.10.0.tgz: 2 vulnerabilities (highest severity is: 7.5) #124
Description
Vulnerable Library - nodemailer-6.10.0.tgz
Easy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.0.tgz
Path to dependency file: /SmartDappsBuilder/backend/package.json
Path to vulnerable library: /SmartDappsBuilder/backend/node_modules/nodemailer/package.json
Found in HEAD commit: 2ed3e6d266405677eb45c15a472c288b604a1cad
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (nodemailer version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-14874 |  High |
7.5 | nodemailer-6.10.0.tgz | Direct | 7.0.11 | ❌ |
| CVE-2025-13033 | High |
7.5 | nodemailer-6.10.0.tgz | Direct | 7.0.7 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-14874
Vulnerable Library - nodemailer-6.10.0.tgz
Easy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.0.tgz
Path to dependency file: /SmartDappsBuilder/backend/package.json
Path to vulnerable library: /SmartDappsBuilder/backend/node_modules/nodemailer/package.json
Dependency Hierarchy:
- ❌ nodemailer-6.10.0.tgz (Vulnerable Library)
Found in HEAD commit: 2ed3e6d266405677eb45c15a472c288b604a1cad
Found in base branch: main
Vulnerability Details
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Publish Date: 2025-12-18
URL: CVE-2025-14874
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-18
Fix Resolution: 7.0.11
Step up your Open Source Security Game with Mend here
CVE-2025-13033
Vulnerable Library - nodemailer-6.10.0.tgz
Easy as cake e-mail sending from your Node.js applications
Library home page: https://registry.npmjs.org/nodemailer/-/nodemailer-6.10.0.tgz
Path to dependency file: /SmartDappsBuilder/backend/package.json
Path to vulnerable library: /SmartDappsBuilder/backend/node_modules/nodemailer/package.json
Dependency Hierarchy:
- ❌ nodemailer-6.10.0.tgz (Vulnerable Library)
Found in HEAD commit: 2ed3e6d266405677eb45c15a472c288b604a1cad
Found in base branch: main
Vulnerability Details
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.
Publish Date: 2025-11-14
URL: CVE-2025-13033
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-14
Fix Resolution: 7.0.7
Step up your Open Source Security Game with Mend here