Nodemailer Security Flaw CVE-2025-13033: Email Parsing Bug Risks Message Misrouting

A critical security vulnerability in the widely-used Nodemailer library exposes applications to email misrouting. The flaw, tracked as CVE-2025-13033, stems from the library's incorrect handling of quoted local-parts containing the '@' symbol within email addresses. This parsing error can cause emails to be delivered to unintended recipients, posing a direct threat to data confidentiality and system integrity for countless projects relying on the library for email functionality.

The vulnerability is present in versions prior to 8.0.4. The issue was addressed in a major update to version 8.0.4, as highlighted in a recent automated dependency pull request. The update represents a significant version jump from 6.9.16/6.10.0, underscoring the severity of the underlying fix. The advisory was published through GitHub's security advisory system, linking the CVE to a specific patch in the Nodemailer repository.

This flaw places immediate pressure on development teams across the ecosystem to audit and update their dependencies. Any application using an older version of Nodemailer for sending or processing email is potentially vulnerable to this misrouting behavior. The automated update via tools like Renovate highlights the operational security necessity of continuous dependency management, as a single library flaw can introduce systemic delivery risks.