Interpretation Conflict Affecting nodemailer package, versions <7.0.7

Q: How to fix?

Upgrade nodemailer to version 7.0.7 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-NODEMAILER-13378253
published7 Oct 2025
disclosed7 Oct 2025
creditxclow3n

Report a new vulnerability Found a mistake?

Introduced: 7 Oct 2025

NewCWE-436 (opens in a new tab)

How to fix?

Upgrade nodemailer to version 7.0.7 or higher.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None