CVE-2025-14874
📋 TL;DR
A denial-of-service vulnerability in Nodemailer allows attackers to crash email-sending applications by sending specially crafted email addresses that trigger infinite recursion in the address parser. This affects any system using vulnerable versions of Nodemailer to process incoming email headers. The vulnerability can be exploited remotely without authentication.
💻 Affected Systems
- Nodemailer
📦 What is this software?
Advanced Cluster Management For Kubernetes by Redhat
View all CVEs affecting Advanced Cluster Management For Kubernetes →
Nodemailer by Nodemailer
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of email-sending functionality, potentially affecting dependent applications and services that rely on Nodemailer for email operations.
Likely Case
Application crashes or becomes unresponsive when processing malicious email headers, requiring manual restart and causing temporary service disruption.
If Mitigated
Minimal impact with proper input validation and rate limiting in place, though the vulnerable component remains exploitable.
🎯 Exploit Status
The vulnerability requires sending a specially crafted email address to trigger the infinite recursion. No authentication is needed if the application accepts email addresses from external sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.9.15 and later
Vendor Advisory: https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
Restart Required: Yes
Instructions:
1. Update Nodemailer to version 6.9.15 or later using npm: npm update nodemailer@latest
2. Restart your application to load the updated package
3. Verify the version is 6.9.15 or higher
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject email addresses with suspicious patterns before they reach Nodemailer's parser
Rate Limiting
allImplement rate limiting on email submission endpoints to reduce the impact of repeated exploitation attempts
🧯 If You Can't Patch
- Implement a WAF or reverse proxy with rules to block email addresses containing patterns known to trigger the vulnerability
- Isolate the email processing service behind additional network segmentation and monitor for abnormal resource usage
🔍 How to Verify
Check if Vulnerable:
Check your package.json or run: npm list nodemailer | grep nodemailerCheck Version:
npm list nodemailer | grep nodemailerVerify Fix Applied:
Verify the installed version is 6.9.15 or higher: npm list nodemailer📡 Detection & Monitoring
Log Indicators:
- Application crashes or restarts related to email processing
- High CPU usage spikes in email processing functions
- Error logs containing stack traces with address parser functions
Network Indicators:
- Multiple failed email submission attempts from single IPs
- Unusual patterns in email address submissions
SIEM Query:
source="application.logs" AND ("nodemailer" OR "address parser") AND ("crash" OR "high cpu" OR "recursion")🔗 References
- https://access.redhat.com/security/cve/CVE-2025-14874
- https://bugzilla.redhat.com/show_bug.cgi?id=2418133
- https://github.com/nodemailer/nodemailer
- https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150
- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
- https://bugzilla.redhat.com/show_bug.cgi?id=2418133
- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v
