CVE-2025-62380 in mailgen
Summary
by MITRE • 10/15/2025
mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext generation code attempts to strip HTML tags using a regular expression and then decodes HTML entities, but tags that include certain Unicode line separator characters are not matched and removed. These encoded tags are later decoded into valid HTML content, allowing unexpected HTML to remain in output intended to be plaintext. Projects are affected if they call Mailgen.generatePlaintext with untrusted input and then render or otherwise process the returned string in a context where HTML is interpreted. This can lead to execution of attacker supplied script in the victim’s browser. Version 2.0.32 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability identified as CVE-2025-62380 resides within the mailgen Node.js package, specifically affecting versions through 2.0.31. This package is widely utilized for generating responsive HTML emails for transactional messaging, making it a critical component in many email infrastructure systems. The flaw manifests in the generatePlaintext method which is designed to convert HTML content into plain text format for email clients that do not support HTML rendering. The vulnerability stems from an insufficient sanitization approach that relies on regular expressions to strip HTML tags from user-generated content, creating a security gap that attackers can exploit to inject malicious HTML code into what should be plain text output.
The technical implementation of the vulnerability occurs through a specific weakness in the HTML tag removal mechanism. The mailgen library employs a regular expression pattern to identify and eliminate HTML tags from content intended for plaintext generation, but this pattern fails to account for Unicode line separator characters that can be embedded within HTML tags. When user input containing these specially crafted tags is processed, the regular expression does not match the complete tag structure due to the presence of these Unicode characters, leaving the HTML tags partially intact. Subsequent HTML entity decoding processes then transform these encoded tags into valid HTML content, effectively bypassing the intended sanitization and allowing malicious code to persist in the output string.
The operational impact of this vulnerability extends beyond simple content injection, creating a potential cross-site scripting (XSS) attack vector that can compromise user sessions and execute unauthorized code within victim browsers. When applications using mailgen process untrusted input through the generatePlaintext method and subsequently render the output in HTML contexts, attackers can inject malicious scripts that execute in the browser of unsuspecting users. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities, and follows patterns commonly associated with ATT&CK technique T1566.001 for initial access through spearphishing attachments or links, as the malicious content could be embedded within email messages. The attack scenario becomes particularly dangerous when applications fail to properly sanitize or escape the generated plaintext output before displaying it in web contexts.
The remediation for CVE-2025-62380 is straightforward and involves upgrading to version 2.0.32 of the mailgen package, which implements corrected sanitization logic that properly handles Unicode line separator characters and ensures complete HTML tag removal. Security practitioners should conduct immediate inventory checks to identify all systems utilizing affected versions of mailgen and implement patch management procedures to upgrade to the secure version. Additionally, organizations should review their email processing workflows to ensure that any output from mailgen is properly escaped or sanitized before being rendered in HTML contexts, implementing defense-in-depth measures that include content security policies and input validation. The vulnerability demonstrates the importance of comprehensive sanitization approaches that account for all possible character encoding variations and Unicode sequences, particularly when dealing with user-generated content processing in web applications.