CVE-2025-14874

HIGH

Nodemailer < 7.0.11 - Denial of Service via Crafted Email Address Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-14874. PoCs published by dwisiswant0.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-14874, a denial-of-service vulnerability in Nodemailer's addressparser module. The exploit demonstrates how a deeply nested group header can crash a Node.js process by triggering unbounded recursion.

Description

A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.

Exploits (1)

github WORKING POC 1 stars
by dwisiswant0 · pythonpoc
https://github.com/dwisiswant0/neo-pocs/tree/master/2025/CVE-2025-14874

This repository contains a functional exploit PoC for CVE-2025-14874, a denial-of-service vulnerability in Nodemailer's addressparser module. The exploit demonstrates how a deeply nested group header can crash a Node.js process by triggering unbounded recursion.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: npm/nodemailer <= 7.0.10
No auth needed
Prerequisites: Node.js application using Nodemailer <= 7.0.10 · ability to send crafted email headers
devstral-2 · analyzed May 14, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.5
EPSS 0.0041
EPSS Percentile 32.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-703
Status published
Products (5)
nodemailer/nodemailer < 7.0.11
npm/nodemailer 0 - 7.0.11npm
redhat/advanced_cluster_management_for_kubernetes 2.0
redhat/ceph_storage 8.0
redhat/developer_hub
Published Dec 18, 2025
Tracked Since Feb 18, 2026