GHSA-wpwj-69cm-q9c5 — high GitHub Advisory (CVE-2025-59937) in go/github.com/wneessen/go-mail

Description

Impact

Due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling.

Vulnerability details

Instead of making use of the String() method of mail.Address, which takes care of proper escaping and quotation of mail address, we used the Address value of the mail.Address which is the raw value when passing it to our SMTP client.

This meant, if a mail address like this was set: "[email protected]> [email protected]"@example.com for a sender or recipient, instead of the correctly quoted/escaped address, the SMTP client would get the raw value passed which would translate into something like this being passed to the SMTP server: RCPT TO:<[email protected]> [email protected]@example.com>.

Since ORCTP is a valid command for the SMTP server, the mail would be routed to the wrong address. Additionally, other SMTP commands could potientially be smuggled in using this method causing unexpected behaviour.

Exploitation requirements

For successful exploitation of this vulnerability it is required that the user's code is allowing for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect your code.

Patches

The vulnerability has been fixed with PR #496 and the fix has been shipped with the go-mail v0.7.1 release.

Issue #495 holds the full report and discussion.

Basic information

Type: reviewed
Severity: high
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2025-09-29 16:28:58 UTC
Updated: 2025-11-05 22:02:01 UTC
GitHub reviewed: 2025-09-29 16:28:58 UTC
NVD published: 2025-09-29

Score	Percentile
0.07%	21.84%

CVSS Scores

Base score	Version	Severity	Vector
8.2	4.0	—	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network. Attack complexity (AC:L) Exploitation conditions are straightforward and stable. Attack requirements (AT:P) Additional preconditions must be present for exploitation. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:N) No confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:H) High integrity impact on the vulnerable system. Vulnerable system availability impact (VA:N) No availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems.

Identifiers

Type	Value
GHSA	GHSA-wpwj-69cm-q9c5 ↗
CVE	CVE-2025-59937 ↗

CWEs

CWE id	Name
CWE-88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Credits

xclow3n (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
go	github.com/wneessen/go-mail	< 0.7.1	0.7.1	—

go-mail has insufficient address encoding when passing mail addresses to the SMTP client