CVE-2025-59937: 
Wolfi vulnerability analysis and mitigation

CVE-2025-59937 affects go-mail, a comprehensive library for sending mails with Go, in versions 0.7.0 and below. The vulnerability was discovered and disclosed on September 29, 2025, and involves incorrect handling of mail.Address values when sender or recipient addresses are passed to SMTP client commands. This vulnerability could lead to wrong address routing or ESMTP parameter smuggling (GitHub Advisory).

The vulnerability stems from using the raw Address value of mail.Address instead of its String() method, which properly handles escaping and quotation. When a maliciously crafted email address like '"toni.tester@example.com> ORCPT=admin@admin.com"@example.com' is processed, the SMTP client receives the unescaped value, potentially allowing command injection. The vulnerability has been assigned a CVSS v4.0 score of 8.2 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N and is classified as CWE-88 (Argument Injection) (GitHub Advisory, Miggo).

The vulnerability can lead to email misrouting, where messages are delivered to unintended domains. It also enables potential SMTP command injection and parameter smuggling. This could result in data leakage, filter evasion, and bypass of domain-based access controls. The impact is particularly severe when the application allows arbitrary mail address input through web forms or similar interfaces (GitHub Advisory).

The vulnerability has been fixed in version 0.7.1 of go-mail. The fix implements proper address encoding by using the String() method of mail.Address for handling email addresses. Users should upgrade to version 0.7.1 or later to address this vulnerability (GitHub Advisory).