Vulnerability Description
go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pebcak | Go-Mail | < 0.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/wneessen/go-mail/commit/42e92cfe027be04aff72921adb0f72f11d517Patch
- https://github.com/wneessen/go-mail/issues/495ExploitIssue Tracking
- https://github.com/wneessen/go-mail/pull/496Issue TrackingPatch
- https://github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5Vendor Advisory
- https://github.com/wneessen/go-mail/issues/495ExploitIssue Tracking
FAQ
What is CVE-2025-59937?
CVE-2025-59937 is a vulnerability with a CVSS score of 9.1 (CRITICAL). go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the cor...
How severe is CVE-2025-59937?
CVE-2025-59937 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-59937?
Check the references section above for vendor advisories and patch information. Affected products include: Pebcak Go-Mail.