N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59937

GHSA ID

GHSA-wpwj-69cm-q9c5

EPSS Score

CWE

CWE-88

Published

9/29/2025

Updated

9/29/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59937

CVE-2025-59937: go-mail has insufficient address encoding when passing mail addresses to the SMTP client

Impact

Due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling.

Vulnerability details

Instead of making use of the String() method of mail.Address, which takes care of proper escaping and quotation of mail address, we used the Address value of the mail.Address which is the raw value when passing it to our SMTP client.

This meant, if a mail address like this was set: "toni.tester@example.com> ORCPT=admin@admin.com"@example.com for a sender or recipient, instead of the correctly quoted/escaped address, the SMTP client would get the raw value passed which would translate into something like this being passed to the SMTP server: RCPT TO:<toni.tester@example.com> ORCPT=admin@admin.com@example.com>.

Since ORCTP is a valid command for the SMTP server, the mail would be routed to the wrong address. Additionally, other SMTP commands could potientially be smuggled in using this method causing unexpected behaviour.

Exploitation requirements

For successful exploitation of this vulnerability it is required that the user's code is allowing for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect your code.

Patches

The vulnerability has been fixed with PR #496 and the fix has been shipped with the go-mail v0.7.1 release.

Issue #495 holds the full report and discussion.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-59937

GHSA ID

GHSA-wpwj-69cm-q9c5

EPSS Score

CWE

CWE-88

Published

9/29/2025

Updated

9/29/2025

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/wneessen/go-mail	go	< 0.7.1	0.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the insufficient encoding of email addresses passed to the SMTP client, which can be exploited for SMTP command injection. The root cause is found in the Msg.GetSender and Msg.GetRecipients functions, which were returning raw, unescaped email addresses instead of properly formatted ones. These raw addresses were then consumed by the smtp.Client.Mail and smtp.Client.Rcpt functions. These functions would wrap the provided addresses in angle brackets, but a crafted address containing a closing angle bracket could terminate the address field prematurely and allow an attacker to inject arbitrary SMTP commands. The patch addresses this by modifying Msg.GetSender and Msg.GetRecipients to use the String() method, which ensures correct escaping and quoting of the email address. Consequently, the smtp.Client.Mail and smtp.Client.Rcpt functions were updated to remove the hardcoded angle brackets, as the String() method now provides them, thus preventing the injection.

Vulnerable functions

Msg.GetSender

msg.go

The function returned the raw, unescaped email address from the `Address` field of the `mail.Address` struct. This allowed an attacker to inject SMTP commands by crafting a malicious email address. The fix is to use the `String()` method, which properly escapes and quotes the address.

Msg.GetRecipients

msg.go

Similar to `GetSender`, this function returned a list of raw, unescaped email addresses. This allowed for SMTP command injection. The fix is to use the `String()` method for each recipient's address to ensure proper formatting and escaping.

Client.Mail

smtp/smtp.go

This function constructs the `MAIL FROM` SMTP command. Before the patch, it would wrap the provided 'from' string in angle brackets. When a raw, unescaped address from `Msg.GetSender` was passed, it created an opportunity for command injection. The fix removes the angle brackets, delegating the responsibility of correct formatting to the input string, which is now handled by `Msg.GetSender`.

Client.Rcpt

smtp/smtp.go

This function constructs the `RCPT TO` SMTP command. It was vulnerable for the same reason as `Client.Mail`. It would wrap the raw recipient address in angle brackets, allowing for command injection. The patch removes these brackets, relying on the input to be correctly formatted by `Msg.GetRecipients`.

WAF Protection Rules

WAF Rule

### Imp**t *u* to in*orr**t **n*lin* o* t** `m*il.***r*ss` v*lu*s w**n * s*n**r- or r**ipi*nt ***r*ss is p*ss** to t** *orr*spon*in* `M*IL *ROM` or `R*PT TO` *omm*n*s o* t** SMTP *li*nt, t*is *oul* l*** to * possi*l* wron* ***r*ss routin* or *v*n to

Reasoning

T** vuln*r**ility li*s in t** insu**i*i*nt *n*o*in* o* *m*il ***r*ss*s p*ss** to t** SMTP *li*nt, w*i** **n ** *xploit** *or SMTP *omm*n* inj**tion. T** root **us* is *oun* in t** `Ms*.**tS*n**r` *n* `Ms*.**tR**ipi*nts` *un*tions, w*i** w*r* r*turnin

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-59937: go-mail has insufficient address encoding when passing mail addresses to the SMTP client

Impact

Vulnerability details

Exploitation requirements

Patches

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI