7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-14874

CVE-2025-14874: Nodemailer: nodemailer: denial of service via crafted email address header

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-14874

CVE-2025-14874:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nodemailer	npm	< 7.0.11	7.0.11

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an uncontrolled recursion flaw (CWE-674) in Nodemailer's email address parser. The root cause is the lack of a depth limit when parsing nested group addresses as defined in RFC 5322. The addressparser and _handleAddress functions in lib/addressparser/index.js form a recursive loop. An attacker can supply a specially crafted email address string with a large number of nested groups (e.g., "group1: group2: ... : user@example.com;").

When the addressparser function processes this string, it identifies the outer group and calls _handleAddress. _handleAddress then recursively calls addressparser to process the inner group's contents. This cycle repeats for each nested group. Without a limit, this recursion continues until the Node.js call stack is exhausted, causing a "Maximum call stack size exceeded" error and crashing the application, resulting in a Denial of Service.

The patch addresses this by introducing a MAX_NESTED_GROUP_DEPTH constant and adding a depth counter to the addressparser and _handleAddress functions. This ensures that the recursion stops after a safe number of iterations, preventing the stack overflow.

Vulnerable functions

addressparser

lib/addressparser/index.js

This function is the main entry point for parsing address strings and is also called recursively. The vulnerability existed because there was no check to limit the recursion depth. A malicious input with deeply nested groups would cause this function to call itself indirectly via `_handleAddress` until the call stack was exhausted, leading to a process crash and Denial of Service. The patch introduces a depth check to prevent this.

_handleAddress

lib/addressparser/index.js

This function is part of the recursive loop. When parsing a group address, it calls the `addressparser` function to handle the nested members. Before the patch, this recursive call did not track its depth. A crafted input could force this function to trigger a deep recursion by calling `addressparser` repeatedly for nested groups, leading to a stack overflow. The patch modifies the recursive call to pass along an incremented depth counter.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-14874: Nodemailer: nodemailer: denial of service via crafted email address header

CVE-2025-14874:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

Technical Details

CVE-2025-14874: Nodemailer: nodemailer: denial of service via crafted email address header

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI