GHSA-fv2f-rw9f-v9cm

smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server's command parser allows any remote client to consume server memory by sending data without newline characters. The server's `_remainder` buffer in `SMTPStream._write` grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash.

The `_write` method in `lib/smtp-stream.js` appends incoming TCP chunks to `this._remainder` in command mode. The buffer is only emptied when a newline is found. If a client never sends a newline, the `_remainder` value will grow indefinitely, causing excess memory consumption.