CVE-2025-59937
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-16

Assigner: GitHub, Inc.

Description
go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59937
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pebcak go-mail to 0.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the go-mail library (versions 0.7.0 and below) is caused by incorrect handling of mail.Address values when sender or recipient addresses are passed to SMTP MAIL FROM or RCPT TO commands. This can lead to wrong address routing or ESMTP parameter smuggling if the user's code allows arbitrary mail address input, such as from a web form. If only static mail addresses without quoted local parts are used, the issue does not affect users. The vulnerability is fixed in version 0.7.1.

Impact Analysis

The vulnerability can cause emails to be routed incorrectly or allow ESMTP parameter smuggling, potentially leading to unauthorized email manipulation or delivery to unintended recipients. This can result in information leakage, delivery failures, or exploitation by attackers if arbitrary mail address input is accepted by the application.

Mitigation Strategies

Upgrade the go-mail library to version 0.7.1 or later, as this version contains the fix for the vulnerability. Additionally, avoid allowing arbitrary mail address input from untrusted sources such as web forms, and ensure that mail addresses do not contain quoted local parts if static addresses are used.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59937. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart