Low severityOSV Advisory· Published Oct 15, 2025· Updated Apr 15, 2026

CVE-2025-62380

Description

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mailgen through 2.0.31 has an HTML injection vulnerability in plaintext emails, allowing XSS when untrusted input is processed.

Vulnerability

Mailgen versions up to 2.0.31 contain an HTML injection vulnerability in the generatePlaintext method [1][2]. The plaintext generation attempts to strip HTML tags using a regular expression and then decodes HTML entities. However, tags that include certain Unicode line separator characters are not matched and removed during the stripping step. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext [2][4].

Exploitation

An attacker can supply user-generated content containing specially crafted HTML tags with Unicode line separators [2]. When Mailgen.generatePlaintext is called with this untrusted input and the resulting string is rendered or processed in a context where HTML is interpreted (e.g., displayed in a web page or an HTML email client), the injected HTML becomes active. No authentication or special network position is required beyond being able to inject content into the email generation pipeline [4].

Impact

Successful exploitation can lead to execution of attacker-supplied script in the victim's browser, enabling cross-site scripting (XSS) attacks. This could allow theft of cookies, session tokens, or other sensitive information, or perform actions on behalf of the user [2][4].

Mitigation

The vulnerability is fixed in version 2.0.32 [2]. Users should update to the latest version. No workarounds are mentioned, but avoiding use of user-generated content in generatePlaintext until patched can reduce risk [3][4].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mailgennpm	< 2.0.32	2.0.32

Affected products

Eladnava/MailgenOSV2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=2.0.31

Patches

7a791a424ff3

index.js: Fix additional HTML injection security issue in plaintext e-mails (thanks @edoardottt)

https://github.com/eladnava/mailgenElad NavaOct 15, 2025via ghsa

commit

1 file changed · +1 −1

index.js+1 −1 modified

@@ -126,7 +126,7 @@ Mailgen.prototype.generatePlaintext = function (params) {
     output = he.decode(output);
 
     // Strip all HTML tags from plaintext output
-    output = output.replace(/<(.|\n)+?>/g, '');
+    output = output.replace(/<.+?>/gs, '');
 
     // All done!
     return output;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000