Description

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue.

INFO

Published Date :

2025-10-15T16:52:39.407Z

Last Modified :

2025-10-15T17:15:16.972Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62380 vulnerability.

Vendors Products
Mailgen
  • Mailgen
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62380.

URL Resource
https://github.com/eladnava/mailgen/commit/7a791a424ff3a3f7783f8750919f1e98639924a8 cve-icon cve-icon
https://github.com/eladnava/mailgen/security/advisories/GHSA-q4w9-x3rv-4c8j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability