Mailgen HTML Injection Vulnerability in Plaintext Email Generation

A vulnerability allowing HTML injection has been identified in the Mailgen Node.js package, specifically in versions through 2.0.31. This issue arises in plaintext emails generated by the 'generatePlaintext' method when user-generated content is included. The vulnerability occurs because the plaintext generation process attempts to remove HTML tags using a regular expression and then decodes HTML entities. However, tags containing certain Unicode line separator characters are not properly stripped, allowing HTML to persist in output meant to be plaintext. Projects that use Mailgen's 'generatePlaintext' with untrusted input and then process the output in a context that interprets HTML may be at risk, potentially leading to the execution of injected scripts in the recipient's browser.

Impact

Exploitation of this vulnerability could result in HTML injection, allowing for the execution of scripts in the context of the affected user's browser.

Reproduction

To reproduce this vulnerability, use Mailgen version 2.0.31 or earlier and pass user-generated content containing HTML tags with certain Unicode line separator characters to the 'generatePlaintext' method. The resulting plaintext email will incorrectly render the HTML, including any scripts, which can then be executed in the browser.

Remediation

Users can upgrade to Mailgen version 2.0.32 or later, where this vulnerability has been fixed.