CVE-2025-62366: 
JavaScript vulnerability analysis and mitigation

Mailgen, a Node.js package for generating responsive HTML emails, was found to contain an HTML injection vulnerability (CVE-2025-62366) affecting versions through 2.0.30. The vulnerability exists in the generatePlaintext method when processing user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt) and was disclosed on October 14, 2025 (GitHub Advisory).

The vulnerability stems from a logical flaw in the Mailgen.prototype.generatePlaintext function where HTML tags are stripped before HTML entities are decoded. When HTML tags are provided as encoded entities, they bypass the initial stripping process and are later decoded into active HTML content. For example, a payload like '<img src=xyz onerror=alert(1)>' can bypass the security measures. The vulnerability has been assigned a CVSS v4.0 score of 2.9 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P and is classified as CWE-79 (Cross-site Scripting) (NVD, GitHub Advisory).

When the plaintext message is rendered in contexts that interpret HTML, the vulnerability can lead to arbitrary JavaScript code execution in the victim's browser. This could potentially result in the theft of sensitive information or secrets contained within the email message (GitHub Advisory).

The vulnerability has been patched in version 2.0.31 of Mailgen. The fix involves reversing the order of operations in the generatePlaintext function, first decoding HTML entities and then stripping HTML tags. No known workarounds exist for affected versions, and users are advised to upgrade to version 2.0.31 or later (GitHub Advisory).