GHSA-WPWJ-69CM-Q9C5
Vulnerability from github – Published: 2025-09-29 16:28 – Updated: 2025-11-05 22:01Impact
Due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling.
Vulnerability details
Instead of making use of the String() method of mail.Address, which takes care of proper escaping and quotation of mail address, we used the Address value of the mail.Address which is the raw value when passing it to our SMTP client.
This meant, if a mail address like this was set: "toni.tester@example.com> ORCPT=admin@admin.com"@example.com for a sender or recipient, instead of the correctly quoted/escaped address, the SMTP client would get the raw value passed which would translate into something like this being passed to the SMTP server: RCPT TO:<toni.tester@example.com> ORCPT=admin@admin.com@example.com>.
Since ORCTP is a valid command for the SMTP server, the mail would be routed to the wrong address. Additionally, other SMTP commands could potientially be smuggled in using this method causing unexpected behaviour.
Exploitation requirements
For successful exploitation of this vulnerability it is required that the user's code is allowing for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect your code.
Patches
The vulnerability has been fixed with PR #496 and the fix has been shipped with the go-mail v0.7.1 release.
Issue #495 holds the full report and discussion.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/wneessen/go-mail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59937"
],
"database_specific": {
"cwe_ids": [
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-29T16:28:58Z",
"nvd_published_at": "2025-09-29T23:15:31Z",
"severity": "HIGH"
},
"details": "### Impact\nDue to incorrect handling of the `mail.Address` values when a sender- or recipient address is passed to the corresponding `MAIL FROM` or `RCPT TO` commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling.\n\n#### Vulnerability details\nInstead of making use of the `String()` method of `mail.Address`, which takes care of proper escaping and quotation of mail address, we used the `Address` value of the `mail.Address` which is the raw value when passing it to our SMTP client.\n\nThis meant, if a mail address like this was set: `\"toni.tester@example.com\u003e ORCPT=admin@admin.com\"@example.com` for a sender or recipient, instead of the correctly quoted/escaped address, the SMTP client would get the raw value passed which would translate into something like this being passed to the SMTP server: `RCPT TO:\u003ctoni.tester@example.com\u003e ORCPT=admin@admin.com@example.com\u003e`. \n\nSince ORCTP is a valid command for the SMTP server, the mail would be routed to the wrong address. Additionally, other SMTP commands could potientially be smuggled in using this method causing unexpected behaviour.\n\n#### Exploitation requirements\nFor successful exploitation of this vulnerability it is required that the user\u0027s code is allowing for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect your code.\n\n### Patches\nThe vulnerability has been fixed with PR #496 and the fix has been shipped with the go-mail v0.7.1 release.\n\nIssue #495 holds the full report and discussion.",
"id": "GHSA-wpwj-69cm-q9c5",
"modified": "2025-11-05T22:01:58Z",
"published": "2025-09-29T16:28:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59937"
},
{
"type": "WEB",
"url": "https://github.com/wneessen/go-mail/issues/495"
},
{
"type": "WEB",
"url": "https://github.com/wneessen/go-mail/pull/496"
},
{
"type": "WEB",
"url": "https://github.com/wneessen/go-mail/commit/42e92cfe027be04aff72921adb0f72f11d517479"
},
{
"type": "PACKAGE",
"url": "https://github.com/wneessen/go-mail"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3988"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "go-mail has insufficient address encoding when passing mail addresses to the SMTP client"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.