cvedb.io
CVE-2025-59937
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2025-09-29T23:15:31.807 · Last modified 2026-06-17T09:46:53.247

Summary

go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1

Affected products

pebcak — go-mail

Does this affect you?

Add your gear to cvedb and we'll alert you only when pebcak ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.