CVE-2025-59937
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pebcak | go-mail | to 0.7.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the go-mail library (versions 0.7.0 and below) is caused by incorrect handling of mail.Address values when sender or recipient addresses are passed to SMTP MAIL FROM or RCPT TO commands. This can lead to wrong address routing or ESMTP parameter smuggling if the user's code allows arbitrary mail address input, such as from a web form. If only static mail addresses without quoted local parts are used, the issue does not affect users. The vulnerability is fixed in version 0.7.1.
How can this vulnerability impact me? :
The vulnerability can cause emails to be routed incorrectly or allow ESMTP parameter smuggling, potentially leading to unauthorized email manipulation or delivery to unintended recipients. This can result in information leakage, delivery failures, or exploitation by attackers if arbitrary mail address input is accepted by the application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the go-mail library to version 0.7.1 or later, as this version contains the fix for the vulnerability. Additionally, avoid allowing arbitrary mail address input from untrusted sources such as web forms, and ensure that mail addresses do not contain quoted local parts if static addresses are used.