fix: prevent RFC 2047 encoded-word address fabrication in decodeAddresses

andris9 · andris9 · commit 08b800cd1c5a · 2026-03-09T13:42:27.000+02:00
Guard recursive decode-and-reparse to require angle-bracket-delimited
addresses before re-parsing decoded content. Detect and reject RFC 2047
encoded-words in addr-spec that produce invalid addresses after decoding.
diff --git a/lib/mail-parser.js b/lib/mail-parser.js
@@ -526,18 +526,30 @@ class MailParser extends Transform {
             address.name = (address.name || '').toString().trim();
 
             if (!address.address && /^(=\?([^?]+)\?[Bb]\?[^?]*\?=)(\s*=\?([^?]+)\?[Bb]\?[^?]*\?=)*$/.test(address.name) && !processedAddress.has(address)) {
-                let parsed = addressparser(this.libmime.decodeWords(address.name));
-                if (parsed.length) {
-                    parsed.forEach(entry => {
-                        processedAddress.add(entry);
-                        addresses.push(entry);
-                    });
-                }
+                let decoded = this.libmime.decodeWords(address.name);
+                // Security fix: only re-parse if decoded text contains angle-bracket-delimited
+                // addresses (e.g. "Name <user@domain>"). Bare decoded text like "attacker@evil.com"
+                // must not be re-interpreted as an address -- RFC 2047 Section 5 prohibits
+                // encoded-words in addr-spec, and re-parsing fabricates addresses not present
+                // in the original header.
+                if (/<[^<>]+@[^<>]+>/.test(decoded)) {
+                    let parsed = addressparser(decoded);
+                    if (parsed.length) {
+                        parsed.forEach(entry => {
+                            processedAddress.add(entry);
+                            addresses.push(entry);
+                        });
+                    }
 
-                // remove current element
-                addresses.splice(i, 1);
-                i--;
-                continue;
+                    // remove current element
+                    addresses.splice(i, 1);
+                    i--;
+                    continue;
+                } else {
+                    // Treat decoded content as display name only
+                    address.name = decoded;
+                    continue;
+                }
             }
 
             if (address.name) {
@@ -547,6 +559,21 @@ class MailParser extends Transform {
                     //ignore, keep as is
                 }
             }
+            // Security fix: detect RFC 2047 encoded-words in the address field.
+            // Per RFC 2047 Section 5, encoded-words MUST NOT appear in addr-spec.
+            // If found, decode and validate; reject if result is not a simple local@domain.
+            if (address.address && /[=]\?[^?]+\?[BbQq]\?[^?]*\?[=]/.test(address.address)) {
+                try {
+                    let decodedAddr = this.libmime.decodeWords(address.address);
+                    if (/^[^\s@]+@[^\s@]+$/.test(decodedAddr) && !/[=]\?/.test(decodedAddr)) {
+                        address.address = decodedAddr;
+                    } else {
+                        address.address = '';
+                    }
+                } catch (E) {
+                    address.address = '';
+                }
+            }
             if (/@xn--/.test(address.address)) {
                 try {
                     address.address =
diff --git a/test/address-security-test.js b/test/address-security-test.js
@@ -0,0 +1,77 @@
+'use strict';
+
+const simpleParser = require('../lib/simple-parser');
+
+module.exports['Should not fabricate address from bare Base64 encoded email'] = test => {
+    // attacker@evil.com encoded as Base64
+    let source = Buffer.from(`From: =?utf-8?b?YXR0YWNrZXJAZXZpbC5jb20=?=\r\nTo: victim@example.com\r\n\r\ntest`);
+
+    simpleParser(source, {}, (err, mail) => {
+        test.ifError(err);
+        test.ok(mail);
+
+        test.equal(mail.from.value[0].address, '', 'Bare encoded email must not become an address');
+        test.equal(mail.from.value[0].name, 'attacker@evil.com', 'Decoded text should be treated as display name');
+
+        test.done();
+    });
+};
+
+module.exports['Should still parse legitimate encoded Name <email> addresses'] = test => {
+    // "Rydel" <Rydelkalot@17guagua.com> encoded as Base64
+    let source = Buffer.from(`From: test@example.com\r\nTo: =?utf-8?B?IlJ5ZGVsIiA8UnlkZWxrYWxvdEAxN2d1YWd1YS5jb20+?=, andris@tr.ee\r\n\r\ntest`);
+
+    simpleParser(source, {}, (err, mail) => {
+        test.ifError(err);
+        test.ok(mail);
+
+        let toAddresses = mail.to.value;
+        let rydel = toAddresses.find(a => a.address === 'Rydelkalot@17guagua.com');
+        test.ok(rydel, 'Legitimate encoded address with angle brackets should still be parsed');
+        test.equal(rydel.name, 'Rydel');
+
+        test.done();
+    });
+};
+
+module.exports['Should decode and reject encoded-words in addr-spec that produce invalid addresses'] = test => {
+    // =40 decodes to @, producing @attacker.com@microsoft.com (two @ signs)
+    let source = Buffer.from(`From: =?utf-8?q?=40attacker.com?=@microsoft.com\r\nTo: victim@example.com\r\n\r\ntest`);
+
+    simpleParser(source, {}, (err, mail) => {
+        test.ifError(err);
+        test.ok(mail);
+
+        test.equal(mail.from.value[0].address, '', 'Encoded-word in addr-spec producing invalid address should be cleared');
+
+        test.done();
+    });
+};
+
+module.exports['Should not touch normal addresses'] = test => {
+    let source = Buffer.from(`From: "Sender" <sender@example.com>\r\nTo: recipient@example.com\r\n\r\ntest`);
+
+    simpleParser(source, {}, (err, mail) => {
+        test.ifError(err);
+        test.ok(mail);
+
+        test.equal(mail.from.value[0].address, 'sender@example.com');
+        test.equal(mail.from.value[0].name, 'Sender');
+        test.equal(mail.to.value[0].address, 'recipient@example.com');
+
+        test.done();
+    });
+};
+
+module.exports['Should not touch percent-hack addresses'] = test => {
+    let source = Buffer.from(`From: user%attacker.com@microsoft.com\r\nTo: victim@example.com\r\n\r\ntest`);
+
+    simpleParser(source, {}, (err, mail) => {
+        test.ifError(err);
+        test.ok(mail);
+
+        test.equal(mail.from.value[0].address, 'user%attacker.com@microsoft.com', 'Percent-hack addresses should pass through as-is');
+
+        test.done();
+    });
+};
