{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14874", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-12-18T06:54:04.556Z", "datePublished": "2025-12-18T08:40:31.916Z", "dateUpdated": "2026-01-08T02:59:52.145Z"}, "containers": {"cna": {"title": "Nodemailer: nodemailer: denial of service via crafted email address header", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser."}], "affected": [{"vendor": "nodemailer", "product": "nodemailer", "versions": [{"status": "affected", "version": "0", "lessThan": "7.0.11", "versionType": "semver"}], "packageName": "nodemailer", "collectionURL": "https://github.com/nodemailer/nodemailer", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhacm2/acm-grafana-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:acm:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ceph Storage 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhceph/grafana-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ceph_storage:8"]}, {"vendor": "Red Hat", "product": "Red Hat Developer Hub", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhdh/rhdh-hub-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:rhdh:1"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14874", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "name": "RHBZ#2418133", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/nodemailer/nodemailer"}, {"url": "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150"}, {"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"}], "datePublic": "2025-12-01T20:44:25.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-703", "description": "Improper Check or Handling of Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-703: Improper Check or Handling of Exceptional Conditions", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2025-12-01T22:06:37.176154+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-12-01T20:44:25+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank uko3211 for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-08T02:59:52.145Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"references": [{"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v", "tags": ["exploit"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T14:32:42.747682Z", "id": "CVE-2025-14874", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T14:32:56.024Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14874", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T14:32:42.747682Z"}}}], "references": [{"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v", "tags": ["exploit"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T14:32:37.484Z"}}], "cna": {"title": "Nodemailer: nodemailer: denial of service via crafted email address header", "credits": [{"lang": "en", "value": "Red Hat would like to thank uko3211 for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nodemailer", "product": "nodemailer", "versions": [{"status": "affected", "version": "0", "lessThan": "7.0.11", "versionType": "semver"}], "packageName": "nodemailer", "collectionURL": "https://github.com/nodemailer/nodemailer", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:acm:2"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Management for Kubernetes 2", "packageName": "rhacm2/acm-grafana-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ceph_storage:8"], "vendor": "Red Hat", "product": "Red Hat Ceph Storage 8", "packageName": "rhceph/grafana-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhdh:1"], "vendor": "Red Hat", "product": "Red Hat Developer Hub", "packageName": "rhdh/rhdh-hub-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-12-01T22:06:37.176154+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-12-01T20:44:25+00:00", "value": "Made public."}], "datePublic": "2025-12-01T20:44:25.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-14874", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133", "name": "RHBZ#2418133", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/nodemailer/nodemailer"}, {"url": "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150"}, {"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-703", "description": "Improper Check or Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-01-08T02:59:52.145Z"}, "x_redhatCweChain": "CWE-703: Improper Check or Handling of Exceptional Conditions"}}, "cveMetadata": {"cveId": "CVE-2025-14874", "state": "PUBLISHED", "dateUpdated": "2026-01-08T02:59:52.145Z", "dateReserved": "2025-12-18T06:54:04.556Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-12-18T08:40:31.916Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodemailer:nodemailer:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3ABBB33C-621B-4520-99B8-1C687484F816", "versionEndExcluding": "7.0.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_management_for_kubernetes:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B0E6B4B-BAA6-474E-A18C-72C9719CEC1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "52AE9D9D-5D74-4AB8-8FF9-5CEA2A1A97B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:developer_hub:-:*:*:*:*:*:*:*", "matchCriteriaId": "C64C29AF-F32F-4AC1-BC84-276B4024D0C5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser."}], "id": "CVE-2025-14874", "lastModified": "2026-01-08T03:15:43.190", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-12-18T09:15:44.870", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2025-14874"}, {"source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133"}, {"source": "[email protected]", "tags": ["Product"], "url": "https://github.com/nodemailer/nodemailer"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-703"}], "source": "[email protected]", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank uko3211 for reporting this issue.", "bugzilla": {"description": "nodemailer: Nodemailer: Denial of service via crafted email address header", "id": "2418133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2418133"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-703", "details": ["A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-14874", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:8", "fix_state": "Fix deferred", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 8"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2025-12-01T20:44:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14874\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14874\nhttps://github.com/nodemailer/nodemailer\nhttps://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b68336a150\nhttps://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98v"], "statement": "This vulnerability is rated Moderate for Red Hat products that utilize Nodemailer, as a specially crafted email address header can trigger infinite recursion in the address parser. This can lead to a denial of service, causing the affected service to crash immediately. Exploitation does not require authentication and can be achieved with a single request.", "threat_severity": "Moderate"}