CVE-2025-62380: 
JavaScript vulnerability analysis and mitigation

Mailgen, a Node.js package for generating responsive HTML emails, contains an HTML injection vulnerability (CVE-2025-62380) in versions through 2.0.31. The vulnerability affects the generatePlaintext method when processing user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt) and was disclosed on October 15, 2025 (GitHub Advisory).

The vulnerability exists in the Mailgen.generatePlaintext function where the HTML sanitization process fails to properly handle Unicode-encoded characters within HTML tags. The function attempts to strip HTML tags using a regular expression (/<(.| )+?>/g) and then decodes HTML entities, but tags containing certain Unicode line separator characters bypass the sanitization. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext (GitHub Advisory, Miggo).

When the plaintext message is rendered in a context where HTML is interpreted, the vulnerability can lead to Cross-Site Scripting (XSS) attacks. This could potentially result in arbitrary code execution in the victim's browser, enabling attackers to steal secrets or sensitive information contained in the email messages (GitHub Advisory).

The vulnerability has been fixed in version 2.0.32 of Mailgen. Users should upgrade to this version or later to address the security issue (GitHub Advisory).