HTML Injection Vulnerability in Mailgen Node.js Package by Elad Nava
CVE-2025-62380

2.9LOW

Key Information:

Vendor: Eladnava
Status: Mailgen
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-62380?

The Mailgen package for Node.js, used for creating responsive HTML emails, is susceptible to an HTML injection vulnerability in the generatePlaintext method. This issue arises when user-generated content includes certain Unicode characters that evade removal by the regular expressions intended to strip HTML tags. Consequently, the output can return unexpected HTML elements within emails expected to be plaintext, leading to potential execution of malicious scripts in recipient browsers. To mitigate this risk, it is crucial to avoid passing untrusted input to Mailgen.generatePlaintext and to upgrade to version 2.0.32, where this vulnerability is addressed.

Affected Version(s)

mailgen < 2.0.32

References

https://github.com/eladnava/mailgen/security/advisories/G...

x_refsource_CONFIRM

https://github.com/eladnava/mailgen/commit/7a791a424ff3a3...

x_refsource_MISC

CVSS V4

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Oct 10, 2025

JSON

Eladnava

What is CVE-2025-62380?

Affected Version(s)

References

CVSS V4

Timeline