## Nodemailer Security Flaw: SMTP Command Injection via Unfiltered CRLF in 'size' Property A critical security vulnerability in the widely-used Nodemailer email library allows for arbitrary SMTP command injection. The flaw, tracked as GHSA-c7w3-x93f-qmm8, exists when a custom `envelope` object containing a `size` property is passed to the `sendMail()` function. If the `size` value includes carriage return and line feed (CRLF) characters (`\r\n`), the library concatenates this unsanitized input directly into the SMTP `MAIL FROM` command. This direct injection vector enables an attacker to append and execute unauthorized commands on the SMTP server. The vulnerability stems from a lack of input validation on a specific, user-controlled property within the mail-sending workflow. Nodemailer, a core dependency for countless Node.js applications handling email notifications, password resets, and alerts, is now patched in version 8.0.4. The update, flagged as a security priority in dependency management tools like RenovateBot, moves the library from the vulnerable ^7.0.13 to the secure ^8.0.4. The age and confidence metrics associated with this update underscore its critical nature as a direct security fix rather than a routine feature enhancement. This flaw represents a significant supply chain risk. Any application using an outdated version of Nodemailer with custom envelope configurations is potentially exposed, allowing attackers to manipulate SMTP sessions. The impact could range from mail server abuse and spam relay to more severe data exfiltration or server compromise depending on the SMTP server's configuration and permissions. The advisory necessitates immediate action for development teams to review their dependencies, apply the patch, and audit any code that programmatically constructs the `envelope` object for email sending operations. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, software vulnerability, supply chain, npm, smtp - **Credibility**: unverified - **Published**: 2026-04-01 10:26:56 - **ID**: 45089 - **URL**: https://whisperx.ai/en/intel/45089