High severityOSV Advisory· Published Dec 18, 2025· Updated Jan 8, 2026
Nodemailer: nodemailer: denial of service via crafted email address header
CVE-2025-14874
Description
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodemailernpm | < 7.0.11 | 7.0.11 |
Affected products
38- Range: v0.1, v0.1.1, v0.1.10, …
- osv-coords37 versionspkg:apk/chainguard/jitsucom-jitsupkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/jitsucom-jitsu-rotorpkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-bitnamipkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-compatpkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-web-3pkg:apk/chainguard/langfuse-web-compatpkg:apk/chainguard/langfuse-worker-3pkg:apk/chainguard/librechatpkg:apk/chainguard/librechat-compatpkg:apk/chainguard/librechat-devpkg:apk/wolfi/jitsucom-jitsupkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/jitsucom-jitsu-rotorpkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-compatpkg:apk/wolfi/langfuse-3-workerpkg:apk/wolfi/langfuse-web-3pkg:apk/wolfi/langfuse-web-compatpkg:apk/wolfi/langfuse-worker-3pkg:npm/nodemailer
< 2.11.0-r8+ 36 more
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.17.10-r4
- (no CPE)range: < 8.18.8-r3
- (no CPE)range: < 8.18.8-r3
- (no CPE)range: < 8.18.8-r3
- (no CPE)range: < 8.19.8-r0
- (no CPE)range: < 8.19.8-r0
- (no CPE)range: < 8.19.8-r0
- (no CPE)range: < 9.0.8-r3
- (no CPE)range: < 9.0.8-r3
- (no CPE)range: < 9.0.8-r3
- (no CPE)range: < 9.1.7-r2
- (no CPE)range: < 9.1.7-r2
- (no CPE)range: < 9.1.7-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 0.8.0-r5
- (no CPE)range: < 0.8.0-r5
- (no CPE)range: < 0.8.0-r5
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 2.11.0-r8
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 3.135.1-r2
- (no CPE)range: < 7.0.11
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-rcmh-qjqh-p98vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14874ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-14874ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150ghsaWEB
- github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98vghsaWEB
News mentions
0No linked articles in our index yet.