CVE-2025-59937
CRITICALgo-mail < 0.7.1 - ESMTP Parameter Smuggling via Mail Address Handling
Title source: llmDescription
go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5
Exploit, Issue Tracking x_refsource_misc
https://github.com/wneessen/go-mail/issues/495
Issue Tracking, Patch x_refsource_misc
https://github.com/wneessen/go-mail/pull/496
Scores
CVSS v3
9.1
EPSS
0.0049
EPSS Percentile
38.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-88
Status
published
Products (2)
pebcak/go-mail
< 0.7.1
wneessen/go-mail
0 - 0.7.1Go
Published
Sep 29, 2025
Tracked Since
Feb 18, 2026