Critical SMTP Header Injection Vulnerability in Mail Package via Display Name

A critical security flaw in the SMTP transport's message builder allows attackers to inject arbitrary email headers by controlling the display name field. The vulnerability resides in the `formatAddress()` method, which interpolates the `addr.name` value into the `From:` and `To:` header lines without validating or stripping carriage return and line feed (CRLF) characters. This oversight creates a direct path for header injection, a classic and severe web application vulnerability.

The affected code is located in `packages/mail/src/drivers/SmtpTransport.ts` and `packages/mail/src/Message.ts`. While envelope commands like MAIL FROM and RCPT TO perform validation on email addresses, the RFC 2822 header display name bypasses any injection checks. An attacker who can control a display name—for instance, through a user profile field that populates the 'from' address—can insert `\r\n` sequences to append new headers. This could be exploited to add hidden BCC recipients, alter the subject line, or insert malicious content headers, compromising email integrity and confidentiality.

The required fix is straightforward: validate and strip `\r` and `\n` characters from display names within the `formatAddress()` function. The severity is marked as critical, underscoring the immediate risk this unvalidated input poses to any application using this mail package for outbound communication. Developers must patch this vulnerability to prevent potential email spoofing and unauthorized information disclosure.