Nodemailer v8 Security Patch: Critical SMTP Command Injection Vulnerability (GHSA-c7w3-x93f-qmm8)

A critical security vulnerability in the widely-used Nodemailer library allows for arbitrary SMTP command injection, posing a direct threat to email infrastructure integrity. The flaw, tracked as GHSA-c7w3-x93f-qmm8, is triggered when a custom `envelope` object containing a `size` property with CRLF characters (`\r\n`) is passed to the `sendMail()` function. The unsanitized value is then concatenated directly into the SMTP `MAIL FROM` command, creating a vector for attackers to inject and execute unauthorized commands on the SMTP server.

The vulnerability resides in versions prior to Nodemailer v8.0.4. The issue is not theoretical; it represents a concrete path for exploitation where malicious input can bypass intended controls and manipulate the underlying SMTP protocol. The dependency update pull request explicitly moves from version 7.0.13 to 8.0.4 to address this security advisory, signaling an urgent need for maintainers to review and merge this fix.

This vulnerability places any application using a vulnerable version of Nodemailer for email dispatch at immediate risk. The potential fallout extends beyond data leakage to include server compromise, email spoofing, and abuse of SMTP services. The update is not a minor feature patch but a mandatory security remediation. Development teams must treat this as a high-priority action item, verifying their dependency trees and applying the update to mitigate the injection risk before exploitation attempts become widespread.