SMTP Injection is a vulnerability that occurs when an attacker injects arbitrary SMTP commands as part of an SMTP communication between a client and server, often through injecting CRLF characters into user-controlled parameters without validation or adequate sanitization. This issue can exist in libraries and applications that use the SMTP protocol to send emails, such as third-party libraries like smtp-client, Email MIME, and Net::SMTP, as well as low-level libraries like smtp-channel. The impact of this vulnerability can vary depending on the context of the application affected, including sending copies of emails to a third party, modifying email content, or leveraging the application as a proxy for phishing attacks. To prevent SMTP Injection, developers should validate and sanitize user input, especially in low-level libraries, and ensure that well-known libraries like JavaMail, PHPMailer, and RubyMail prevent this vulnerability by sanitizing CRLF characters. The Python security team has also remediated this issue in their 3.X releases.