GHSA-mm7p-fcc7-pg87: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in Nodemailer (versions < 7.0.7) where the email parsing library incorrectly handles quoted local-parts containing @ symbol. This vulnerability, identified as GHSA-mm7p-fcc7-pg87, was published on October 5, 2025, and updated on October 7, 2025. The issue leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target (GitHub Advisory).

The vulnerability stems from improper input validation (CWE-20) and interpretation conflict (CWE-436) in the email address parsing mechanism. When processing email addresses with quoted local-parts containing @ symbols, the parser fails to handle them according to RFC 5321/5322 standards. The vulnerability has been assigned a CVSS v4 base score of 5.5 (Moderate), with attack vector being Network, low attack complexity, and no privileges or user interaction required (GitHub Advisory).

The vulnerability can lead to several serious consequences: email misdelivery and data leakage where emails are sent to unintended external domains, potential bypass of logs and anti-spam systems through hidden recipients in quoted local-parts, compliance issues due to violation of RFC 5321/5322 parsing rules, and possible domain-based access control bypass in downstream applications using the library (GitHub Advisory).

The vulnerability has been patched in Nodemailer version 7.0.7. The recommended fixes include updating the parser to correctly treat quoted local-parts per RFC 5321/5322 standards and adding strict validation that rejects local-parts containing embedded @ symbols unless they fully comply with quoting requirements (GitHub Advisory).