CVE-2025-62366
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts to remove HTML tags, but if tags are provided as encoded HTML entities they are not removed and are later decoded, resulting in active HTML (for example an img tag with an event handler) in the supposed plaintext output. In contexts where the generated plaintext string is subsequently rendered as HTML, this can allow execution of attacker‑controlled JavaScript. Versions 2.0.31 and later contain a fix. No known workarounds exist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62366
EUVD
EUVD-2025-34231
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
eladnava mailgen 2.0.32
eladnava mailgen 2.0.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection and Cross-Site Scripting (XSS) filter bypass in the Mailgen Node.js package, specifically in the generatePlaintext method. The method tries to remove HTML tags from user-supplied content to produce plaintext emails, but it fails to remove encoded HTML entities. These encoded entities are later decoded, resulting in active HTML tags (like an img tag with an event handler) in the plaintext output. If this plaintext is rendered as HTML, it can execute attacker-controlled JavaScript. [2]

Impact Analysis

If the plaintext email generated by Mailgen is rendered in an HTML context, this vulnerability can allow execution of arbitrary JavaScript controlled by an attacker. This can lead to exposure of sensitive information or enable further attacks such as Cross-Site Scripting (XSS). The actual impact depends on how the plaintext output is used in your environment. [2]

Detection Guidance

You can detect this vulnerability by checking the version of the Mailgen package used in your system. If the version is 2.0.30 or earlier, it is vulnerable. Additionally, you can look for suspicious encoded HTML entities in plaintext emails generated by the generatePlaintext method, such as encoded img tags with event handlers (e.g., &ltimg src=x onerror=alert(document.body.innerHTML)&gt). There are no specific commands provided in the resources, but you can use package management commands like `npm list mailgen` to check the installed version. For inspecting emails, you might search for encoded HTML entities in email logs or outputs. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Mailgen package to version 2.0.31 or later, where the issue has been fixed. No known workarounds exist, so updating is the recommended action to prevent HTML injection and XSS attacks via the generatePlaintext method. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62366. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart