CVE-2025-59937: 
Wolfi vulnerability analysis and mitigation

CVE-2025-59937 affects go-mail, a comprehensive library for sending mails with Go, versions 0.7.0 and below. The vulnerability was discovered and reported by xclow3n on September 25, 2025, and was fixed in version 0.7.1. The issue stems from incorrect handling of mail.Address values when sender or recipient addresses are passed to MAIL FROM or RCPT TO commands of the SMTP client (GitHub Advisory).

The vulnerability occurs due to improper handling of quoted local-parts containing @ symbols in email addresses. Instead of using the String() method of mail.Address for proper escaping and quotation, the library used the raw Address value when passing it to the SMTP client. For example, if an address like '"toni.tester@example.com> ORCPT=admin@admin.com"@example.com' was provided, the SMTP client would receive the unescaped value, potentially leading to command injection. The vulnerability has been assigned a CVSS v4.0 score of 8.2 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability can lead to email misrouting, where messages are sent to unintended domains, potentially causing data leakage. It also enables filter evasion, allowing bypass of logs and anti-spam systems through hidden recipients in quoted local-parts. The issue could lead to domain-based access control bypass in downstream applications using the library. Additionally, it violates RFC 5321/5322 parsing rules, potentially causing compliance issues (GitHub Issue).

The vulnerability has been fixed in go-mail version 0.7.1. The fix includes proper handling of mail address parsing and encoding when passing addresses to the SMTP client. Users should upgrade to version 0.7.1 or later to address this vulnerability. The fix was implemented through PR #496, which ensures proper use of the String() method for address formatting and adds comprehensive test cases for address injection scenarios (GitHub PR).