Nodemailer v8.0.4 Patches Critical SMTP Command Injection Vulnerability (GHSA-c7w3-x93f-qmm8)

A critical security flaw in the widely-used Nodemailer library allowed attackers to silently hijack email delivery by injecting arbitrary SMTP commands. The vulnerability, tracked as GHSA-c7w3-x93f-qmm8, was present when a custom `envelope` object with a `size` property was passed to the `sendMail()` function. If this property contained carriage return and line feed (CRLF) characters (`\r\n`), the unsanitized value was concatenated directly into the SMTP `MAIL FROM` command. This design flaw created a direct pipeline for command injection.

The exploit mechanism is precise. By crafting a malicious `envelope.size` value, an attacker could inject additional SMTP commands, most critically `RCPT TO`. This would allow them to add unauthorized, attacker-controlled email addresses as recipients to any outgoing message sent through a vulnerable Nodemailer instance. The attack could occur silently, without the sender's knowledge, leading to potential data exfiltration, credential theft via phishing links, or unauthorized access to sensitive communications.

The patch, released in version 8.0.4, addresses the vulnerability by implementing proper input sanitization in the `lib/smtp-connection/index.js` file (lines 1161-1162). This update is classified as a security patch, moving from version 8.0.1. The discovery triggers immediate pressure on thousands of dependent applications and services—ranging from notification systems to internal corporate tools—to apply the update. Failure to patch leaves systems exposed to a straightforward attack that compromises the fundamental integrity of email delivery, a core trust mechanism for many web applications.