CVE-2025-62380
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62380
EUVD
EUVD-2025-34682
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eladnava mailgen 2.0.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in the mailgen Node.js package versions up to 2.0.31. When generating plaintext emails using the generatePlaintext method with user-supplied content, the code tries to remove HTML tags using a regular expression. However, it fails to remove tags that contain certain Unicode line separator characters. These tags are later decoded into valid HTML, allowing unexpected HTML content to remain in what should be plaintext output. If this output is rendered in a context that interprets HTML, it can lead to execution of attacker-supplied scripts in the victim's browser.

Impact Analysis

This vulnerability can lead to execution of attacker-supplied scripts in the victim's browser if untrusted input is passed to mailgen's generatePlaintext method and the output is rendered in an HTML-interpreting context. This can result in cross-site scripting (XSS) attacks, potentially compromising user data, session tokens, or enabling other malicious actions within the affected application.

Detection Guidance

You can detect this vulnerability by identifying if your project uses mailgen versions through 2.0.31 and calls the generatePlaintext method with untrusted input. Since the vulnerability involves HTML injection in plaintext emails, you can inspect generated plaintext emails for unexpected HTML content. There are no specific commands provided in the resources, but checking your package version with 'npm list mailgen' and reviewing code usage of 'generatePlaintext' with untrusted input is recommended.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade mailgen to version 2.0.32 or later, where the issue is fixed. Additionally, avoid passing untrusted input to the generatePlaintext method or ensure proper sanitization before usage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart