CVE-2025-59937

Name of the Vulnerable Software and Affected Versions go-mail versions 0.7.0 and below

Description The go-mail library improperly handles mail.Address values when passed to the SMTP client’s MAIL FROM or RCPT TO commands. This can lead to incorrect address routing or ESMTP parameter smuggling. Successful exploitation requires the user’s code to allow arbitrary mail address input. The issue stems from using the raw Address value instead of the String() method, which properly escapes and quotes mail addresses. Specifically, a crafted mail address like "toni.tester@example.com> ORCPT=admin@admin.com"@example.com could be misinterpreted by the SMTP server, potentially routing mail to unintended recipients or allowing the injection of additional SMTP commands.

Recommendations Update to version 0.7.1 or later.