The vulnerability CVE-2025-62380 affects mailgen, a popular Node.js package used to generate responsive HTML emails, specifically in versions before 2.0.32. The issue lies in the generatePlaintext method, which is intended to produce plaintext versions of emails by stripping HTML tags from user-supplied content. The method uses a regular expression to remove HTML tags, but it does not account for tags that include certain Unicode line separator characters. These characters cause the regex to fail to match and remove some tags, allowing encoded HTML tags to remain in the plaintext output. Subsequently, when HTML entities are decoded, these tags become valid HTML elements within what should be plaintext content. If an application using mailgen calls generatePlaintext with untrusted input and then renders or processes the output in a context where HTML is interpreted (e.g., a webmail client or a web interface displaying the plaintext email), this can lead to cross-site scripting (XSS) attacks. The attacker can inject malicious scripts that execute in the victim's browser, potentially stealing session tokens, performing actions on behalf of the user, or delivering further payloads. The vulnerability requires no authentication or user interaction, but exploitation depends on the application’s handling of the plaintext output. The issue was fixed in mailgen version 2.0.32. The CVSS 4.0 base score is 2.9 (low), reflecting the limited impact and exploitation complexity. No known exploits have been reported in the wild as of the publication date.

For European organizations, the impact of this vulnerability is primarily on the confidentiality and integrity of user data accessed via email clients or web interfaces that render the vulnerable plaintext output as HTML. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, phishing, or unauthorized actions within webmail portals. However, the overall impact is limited by the low CVSS score and the requirement that the vulnerable output be rendered in an HTML context, which may not be common practice. Organizations relying on mailgen for transactional emails that include user-generated content are at risk, especially if they do not sanitize inputs before passing them to mailgen or if their email clients render plaintext emails as HTML. The vulnerability does not affect mail servers or the mail delivery infrastructure directly but targets the client-side rendering environment. Given the widespread use of Node.js and mailgen in web applications and services, European companies in sectors such as e-commerce, finance, and SaaS platforms that send transactional emails could be affected if they use vulnerable versions. The absence of known exploits reduces immediate risk but does not eliminate the need for remediation.

European organizations should immediately update mailgen to version 2.0.32 or later to ensure the vulnerability is patched. Additionally, developers should implement strict input validation and sanitization on all user-generated content before passing it to mailgen’s generatePlaintext method. Avoid rendering plaintext email outputs in contexts where HTML is interpreted; treat plaintext strictly as plain text. Employ Content Security Policy (CSP) headers in webmail or email client interfaces to restrict script execution and mitigate potential XSS impacts. Conduct code reviews and security testing focused on email generation and rendering workflows to detect similar injection issues. Monitor email rendering environments for unusual script execution or anomalies. Finally, educate development teams about the risks of improper input handling in email generation libraries and encourage timely dependency updates.