CVE-2025-62366: 
JavaScript vulnerability analysis and mitigation

A HTML injection vulnerability (CVE-2025-62366) was discovered in mailgen, a Node.js package that generates responsive HTML e-mails for sending transactional mail. The vulnerability affects versions through 2.0.30 and was discovered by Edoardo Ottavianelli. The issue lies in the generatePlaintext method when processing user-generated content, where HTML tags provided as encoded entities bypass the security filters (GitHub Advisory).

The vulnerability exists in the generatePlaintext function within index.js, which attempts to strip HTML content to produce plaintext output. The function fails to properly handle encoded HTML tags, as it only searches for and removes unencoded HTML tags. When encoded HTML tags are provided, they bypass the removal process and are later decoded, resulting in active HTML content in the supposed plaintext output. This can lead to successful injection of HTML tags with event handlers, such as img tags with onerror attributes (GitHub Advisory). The vulnerability has been assigned a CVSS 4.0 score of 2.9 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P (NVD).

When the generated plaintext content is rendered as HTML in certain contexts, the vulnerability can lead to arbitrary JavaScript code execution in the victim's browser. This could potentially result in the theft of secrets or sensitive information contained in the email messages (GitHub Advisory).

The vulnerability has been fixed in version 2.0.31 and later. No known workarounds exist for affected versions, making it crucial for users to upgrade to the patched version (NVD).