Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
The flaw is fixed by correctly handling consecutive CRLF sequences.
{ "license": "CC0-1.0" }