CVE-2025-59937: 
Análisis y mitigación de vulnerabilidades

CVE-2025-59937 affects go-mail, a comprehensive library for sending mails with Go, in versions 0.7.0 and below. The vulnerability was discovered and reported by xclow3n on September 25, 2025, and was fixed in version 0.7.1. The issue stems from incorrect handling of mail.Address values when sender or recipient addresses are passed to SMTP client commands (GitHub Advisory).

The vulnerability occurs due to improper handling of mail.Address values in SMTP MAIL FROM and RCPT TO commands. Instead of using the String() method of mail.Address for proper escaping and quotation, the library used the raw Address value. For example, when processing an address like '"toni.tester@example.com> ORCPT=admin@admin.com"@example.com', the SMTP server would receive the unescaped command 'RCPT TO: ORCPT=admin@admin.com@example.com>', potentially leading to command injection. The vulnerability has been assigned a CVSS v4.0 score of 8.2 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N and is classified as CWE-88 (Argument Injection) (GitHub Advisory).

The vulnerability can lead to email misrouting and ESMTP parameter smuggling. This could result in emails being sent to unintended domains, potential filter evasion where logs and anti-spam systems might be bypassed, and possible domain-based access control bypass in downstream applications. The issue presents compliance concerns as it violates RFC 5321/5322 parsing rules (GitHub Issue).

The vulnerability has been fixed in go-mail version 0.7.1. The fix properly implements address encoding when passing mail addresses to the SMTP client, using the String() method of mail.Address for proper escaping and quotation. Users should upgrade to version 0.7.1 or later to address this vulnerability (GitHub PR).