CVE-2025-14874
Denial of Service in Nodemailer via Recursive Address Parser
Publication date: 2025-12-18
Last updated on: 2025-12-18
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodemailer | nodemailer | 7.0.10 |
| nodemailer | nodemailer | 7.0.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14874 is a denial of service (DoS) vulnerability in Nodemailer caused by a flaw in its email address parser. The parser attempts to flatten nested email address groups recursively, but nested groups are invalid according to RFC 5322. An attacker can craft an email header with deeply nested groups using multiple colons, which causes the parser to recurse infinitely, leading to a stack overflow and crashing the Node.js process. This happens because the parser expects comma-separated members but receives colons, triggering repeated recursive calls without a depth limit. [1, 2]
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by sending a single malicious email header with deeply nested groups to any server or service using vulnerable Nodemailer versions (up to 7.0.10). This causes the Node.js process to crash immediately due to stack overflow. In environments using process managers like PM2 or Forever, this can lead to continuous restart loops, causing severe resource exhaustion and potential denial of service to legitimate users. No authentication is required to exploit this vulnerability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or stack overflow errors in Node.js processes running Nodemailer versions up to 7.0.10, especially errors like 'Maximum call stack size exceeded'. Detection can also involve inspecting email headers for deeply nested group structures using multiple colons (e.g., 'g0: g1: g2: ...') which are invalid per RFC 5322 and trigger the vulnerability. While no specific commands are provided in the resources, you can use network packet inspection tools (e.g., tcpdump, Wireshark) or log analysis to identify emails with suspiciously nested group headers containing many colons. Additionally, monitoring process crashes or restart loops in process managers like PM2 or Forever can indicate exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Nodemailer to version 7.0.11 or later, where the vulnerability is fixed by limiting the recursion depth in the email address parser to 50 levels. This prevents stack overflow and DoS attacks caused by deeply nested group headers. Until the upgrade is applied, consider implementing input validation or filtering to reject email headers with suspicious nested group structures containing multiple colons. Also, monitor and manage process restarts to avoid resource exhaustion in environments using process managers like PM2 or Forever. [3]