Nodemailer v8 Security Patch: Critical SMTP Command Injection Vulnerability Fixed

A critical security vulnerability in the widely-used Nodemailer email-sending library has been patched in its new major version, v8. The flaw, tracked as GHSA-c7w3-x93f-qmm8, allowed for arbitrary SMTP command injection, posing a severe risk to any application using the library to send mail. This is not a theoretical weakness; it is a direct path for attackers to manipulate the mail server communication channel, potentially leading to data exfiltration, server compromise, or mail system abuse.

The vulnerability resided in the `sendMail()` function. When a custom `envelope` object containing a `size` property was passed to this function, the library would concatenate the property's value directly into the SMTP `MAIL FROM` command without proper sanitization. If an attacker could control this `size` value and inject carriage return and line feed (CRLF) characters (`\r\n`), they could break out of the intended command and append their own malicious SMTP instructions. This type of injection is a classic and dangerous attack vector for mail servers.

The update to Nodemailer v8.0.0 and later versions resolves this security hole. The patch ensures that user-supplied input is properly sanitized before being included in SMTP protocol commands, closing the injection pathway. This fix is a mandatory upgrade for all maintainers and development teams relying on Nodemailer, as the previous versions (^6.9.8) remain exposed. The update highlights the persistent risk of protocol-level injections in foundational infrastructure libraries and the critical importance of timely dependency management.