CVE-2025-62380

Name of the Vulnerable Software and Affected Versions mailgen versions through 2.0.31

Description mailgen is a Node.js package used to generate responsive HTML emails. A flaw exists in the plaintext email generation process when using the generatePlaintext method with untrusted input. The code attempts to remove HTML tags using a regular expression and then decodes HTML entities, but certain Unicode line separator characters within tags are not removed. These encoded tags are subsequently decoded into valid HTML, allowing unexpected HTML to remain in the plaintext output. This can lead to the execution of attacker-supplied script in a victim’s browser if the resulting string is processed in a context where HTML is interpreted.

Recommendations Update to version 2.0.32 or later.