Nodemailer Security Flaw: SMTP Command Injection via Unfiltered `size` Property

A critical security vulnerability in the widely-used Nodemailer library exposes countless applications to SMTP command injection. The flaw, tracked as GHSA-c7w3-x93f-qmm8, allows an attacker to inject arbitrary commands directly into the SMTP protocol stream, potentially compromising email servers and the applications that rely on them.

The vulnerability resides in the `sendMail()` function. When a custom `envelope` object is passed with a `size` property containing carriage return and line feed (CRLF) characters (`\r\n`), the value is concatenated directly into the SMTP `MAIL FROM` command without any sanitization. This lack of input validation creates a direct pipeline for attackers to append and execute unauthorized SMTP commands, a classic injection vector with severe implications for data integrity and system security.

The maintainers have addressed the issue in version 8.0.5. The update represents a mandatory security patch for any project using Nodemailer. The presence of this vulnerability in a core dependency for email functionality places immediate pressure on development and security teams across the ecosystem to audit their dependency trees and apply the fix. Failure to update leaves applications open to a straightforward attack that could be exploited to manipulate email delivery, exfiltrate data, or attack downstream SMTP infrastructure.