GHSA-mm7p-fcc7-pg87: 
JavaScript vulnerability analysis and mitigation

A vulnerability in Nodemailer versions below 7.0.7 was discovered where the email parsing library incorrectly handles quoted local-parts containing @ symbol. The issue (GHSA-mm7p-fcc7-pg87) was published on October 5, 2025, and affects the npm package nodemailer. This vulnerability could lead to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target (GitHub Advisory).

The vulnerability stems from improper input validation (CWE-20) and interpretation conflict (CWE-436) in the email address parser. When processing email addresses with quoted local-parts containing @ symbols (e.g., '"xclow3n@gmail.com x"@internal.domain'), the parser incorrectly extracts and routes to an unintended domain. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Moderate), with base metrics indicating Network attack vector, Low complexity, and No attack requirements (GitHub Advisory).

The vulnerability can lead to several security implications including email misdelivery and data leakage where emails are sent to unintended domains, potential filter evasion allowing bypass of logs and anti-spam systems, compliance issues due to violation of RFC 5321/5322 parsing rules, and domain-based access control bypass in downstream applications using the library (GitHub Advisory).

The vulnerability has been patched in Nodemailer version 7.0.7. The fix includes correcting the parser to properly treat quoted local-parts according to RFC 5321/5322 standards and adding strict validation to reject local-parts containing embedded @ symbols unless fully compliant with quoting rules. Users are advised to upgrade to version 7.0.7 or later (Nodemailer Commit).