Mail Routing and ESMTP Parameter Issues in Go-Mail by Wneessen
CVE-2025-59937

8.2HIGH

Key Information:

Vendor

Wneessen

Status
Go-mail
Vendor
CVE Published:
29 September 2025

What is CVE-2025-59937?

The go-mail library, widely used for sending emails with Go, contains an issue in versions 0.7.0 and earlier where improper handling of mail.Address values can lead to vulnerability during the execution of the MAIL FROM or RCPT TO commands. This flaw may result in incorrect mail routing or the potential for ESMTP parameter smuggling. Successful exploitation occurs when user-controlled input is allowed for email addresses, particularly through dynamic interfaces such as web forms. Users utilizing static addresses in configuration files that do not include quoted local parts may not be affected. This vulnerability has been addressed in version 0.7.1.

Affected Version(s)

go-mail < 0.7.1

References

https://github.com/wneessen/go-mail/security/advisories/G...
x_refsource_CONFIRM
https://github.com/wneessen/go-mail/issues/495
x_refsource_MISC
https://github.com/wneessen/go-mail/pull/496
x_refsource_MISC

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59937 : Mail Routing and ESMTP Parameter Issues in Go-Mail by Wneessen