Nodemailer Security Flaw CVE-2025-13033: Email Parsing Bug Risks Message Misrouting

A critical vulnerability in the widely-used Nodemailer library exposes email systems to message misrouting. The flaw, tracked as CVE-2025-13033, stems from the library's incorrect handling of quoted local-parts containing the '@' symbol. This parsing error can cause emails to be sent to an unintended domain instead of the intended, RFC-compliant recipient, creating a direct risk of data leakage and communication compromise.

The vulnerability specifically affects the email address parsing logic. When an address contains a quoted local-part with an '@' character—such as in the payload `"[email protected] x"@interna`—the library incorrectly extracts and routes the message based on the wrong domain segment. This is not a theoretical issue; it is a concrete implementation bug that undermines the fundamental trust in email delivery for any application relying on Nodemailer versions prior to 8.0.5. The security advisory was published directly by the Nodemailer maintainers, confirming the severity and prompting an urgent major version update from 6.7.5 to 8.0.5.

The implications are immediate for countless Node.js applications, APIs, and services that use Nodemailer for transactional or notification emails. Developers and security teams must treat this as a high-priority update. Failure to patch could lead to sensitive communications—including password resets, verification codes, or confidential alerts—being silently misdirected. The automated dependency update PR highlights the age and confidence metrics of the change, signaling that this is a necessary and stable upgrade to close a security gap that directly manipulates message flow.