CVE-2025-62366
Description
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts to remove HTML tags, but if tags are provided as encoded HTML entities they are not removed and are later decoded, resulting in active HTML (for example an img tag with an event handler) in the supposed plaintext output. In contexts where the generated plaintext string is subsequently rendered as HTML, this can allow execution of attacker‑controlled JavaScript. Versions 2.0.31 and later contain a fix. No known workarounds exist.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mailgen versions ≤2.0.30 have an HTML injection in generatePlaintext when user content includes encoded HTML entities, allowing JavaScript execution in plaintext output rendered as HTML.
Vulnerability
Mailgen through version 2.0.30 contains an HTML injection vulnerability in the generatePlaintext method, which is intended to produce plaintext versions of generated emails. The issue arises because the method strips HTML tags before decoding HTML entities. If a user supplies encoded HTML entities (e.g., <img src=x onerror=alert(1)>), they bypass the tag removal and later become decoded into active HTML, resulting in a plaintext output that actually contains markup [1][2][3].
Exploitation
An attacker can exploit this by injecting specially crafted user-generated content into the email parameters passed to generatePlaintext. Since the method does not sanitize encoded entities prior to tag removal, the attacker's encoded tags survive the filtering and are decoded into valid HTML. This plaintext string, if subsequently rendered as HTML (for example, in a webmail client that displays plaintext as HTML), could execute attacker-controlled JavaScript [2][3]. No authentication or special network position is required beyond the ability to supply user content to the email generation function.
Impact
Successful exploitation could lead to cross-site scripting (XSS) when the generated plaintext email is rendered as HTML. This could allow an attacker to execute arbitrary JavaScript in the context of the recipient's email client or web application, potentially stealing session cookies, defacing pages, or performing other malicious actions [2][3].
Mitigation
The vulnerability is fixed in Mailgen version 2.0.31. The fix reorders operations: HTML entities are decoded first, then tags are stripped, preventing encoded tags from escaping [4]. No workarounds exist; users should update to 2.0.31 or later [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mailgennpm | < 2.0.31 | 2.0.31 |
Affected products
1Patches
17279a983481dindex.js: Fix additional HTML injection security issue in plaintext e-mails (thanks @edoardottt)
1 file changed · +3 −3
index.js+3 −3 modified@@ -122,12 +122,12 @@ Mailgen.prototype.generatePlaintext = function (params) { output = output.replace(/^(?: |\t)*/gm, ""); } - // Strip all HTML tags from plaintext output - output = output.replace(/<(.|\n)+?>/g, ''); - // Decode HTML entities such as © output = he.decode(output); + // Strip all HTML tags from plaintext output + output = output.replace(/<(.|\n)+?>/g, ''); + // All done! return output; };
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.