Nodemailer Security Flaw (CVE-2025-13033): Email Parser Bug Can Misdirect Messages

A critical vulnerability in the widely-used Nodemailer library exposes email systems to message misrouting. The flaw, tracked as CVE-2025-13033, stems from the library's incorrect parsing of email addresses containing quoted local-parts with the '@' symbol. This parsing error can cause the system to extract and route messages to an unintended domain, bypassing the intended RFC-compliant recipient. The security advisory warns that this could lead to sensitive information being delivered to the wrong destination.

The vulnerability is present in versions prior to the major update to v8.0.0. The GitHub security advisory details that the bug is triggered by a specific payload format, such as `"[email protected] x"@inte`. The automated dependency update tool RenovateBot flagged this as a high-priority security update, moving from version ~6.9.13 to ~8.0.0. The update is marked with high confidence, indicating a stable and necessary fix for the security issue.

This flaw poses a direct risk to any application using Nodemailer for email sending and parsing, which includes countless web applications, notification services, and backend systems. The misrouting is not a theoretical concern but a demonstrable parser failure that undermines the basic integrity of email delivery. Developers and security teams must prioritize applying this patch to prevent potential data leaks, privacy violations, and compliance failures stemming from misdirected communications.