CVE-2025-13033
BaseFortify
Publication date: 2025-11-14
Last updated on: 2026-03-04
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodemailer | nodemailer | 7.0.6 |
| nodemailer | nodemailer | 7.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
| CWE-1286 | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in an email parsing library where specially crafted recipient email addresses containing an external address within quotes cause the application to misdirect emails. Instead of delivering the email to the intended internal recipient, the email is sent to the attacker's external address.
How can this vulnerability impact me? :
The vulnerability can lead to significant data leaks of sensitive information by sending emails to unauthorized external recipients. It also allows attackers to bypass security filters and access controls, potentially exposing confidential data.