Vulnerability Description
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodemailer | Nodemailer | < 7.0.11 |
| Redhat | Advanced Cluster Management For Kubernetes | 2.0 |
| Redhat | Ceph Storage | 8.0 |
| Redhat | Developer Hub | - |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2025-14874Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2418133ExploitIssue TrackingThird Party Advisory
- https://github.com/nodemailer/nodemailerProduct
- https://github.com/nodemailer/nodemailer/commit/b61b9c0cfd682b6f647754ca338373b6Patch
- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98vExploitVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2418133ExploitIssue TrackingThird Party Advisory
- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-rcmh-qjqh-p98vExploitVendor Advisory
FAQ
What is CVE-2025-14874?
CVE-2025-14874 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
How severe is CVE-2025-14874?
CVE-2025-14874 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14874?
Check the references section above for vendor advisories and patch information. Affected products include: Nodemailer Nodemailer, Redhat Advanced Cluster Management For Kubernetes, Redhat Ceph Storage, Redhat Developer Hub.