CVE-2025-14874
Unknown Unknown - Not Provided
Denial of Service in Nodemailer via Recursive Address Parser

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Red Hat, Inc.

Description
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14874
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nodemailer nodemailer 7.0.10
nodemailer nodemailer 7.0.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14874 is a denial of service (DoS) vulnerability in Nodemailer caused by a flaw in its email address parser. The parser attempts to flatten nested email address groups recursively, but nested groups are invalid according to RFC 5322. An attacker can craft an email header with deeply nested groups using multiple colons, which causes the parser to recurse infinitely, leading to a stack overflow and crashing the Node.js process. This happens because the parser expects comma-separated members but receives colons, triggering repeated recursive calls without a depth limit. [1, 2]

Impact Analysis

An attacker can exploit this vulnerability by sending a single malicious email header with deeply nested groups to any server or service using vulnerable Nodemailer versions (up to 7.0.10). This causes the Node.js process to crash immediately due to stack overflow. In environments using process managers like PM2 or Forever, this can lead to continuous restart loops, causing severe resource exhaustion and potential denial of service to legitimate users. No authentication is required to exploit this vulnerability. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or stack overflow errors in Node.js processes running Nodemailer versions up to 7.0.10, especially errors like 'Maximum call stack size exceeded'. Detection can also involve inspecting email headers for deeply nested group structures using multiple colons (e.g., 'g0: g1: g2: ...') which are invalid per RFC 5322 and trigger the vulnerability. While no specific commands are provided in the resources, you can use network packet inspection tools (e.g., tcpdump, Wireshark) or log analysis to identify emails with suspiciously nested group headers containing many colons. Additionally, monitoring process crashes or restart loops in process managers like PM2 or Forever can indicate exploitation attempts. [1, 2]

Mitigation Strategies

The immediate mitigation step is to upgrade Nodemailer to version 7.0.11 or later, where the vulnerability is fixed by limiting the recursion depth in the email address parser to 50 levels. This prevents stack overflow and DoS attacks caused by deeply nested group headers. Until the upgrade is applied, consider implementing input validation or filtering to reject email headers with suspicious nested group structures containing multiple colons. Also, monitor and manage process restarts to avoid resource exhaustion in environments using process managers like PM2 or Forever. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart