Login Sign Up

CVE-2025-59937

9.1 CRITICAL

📋 TL;DR

The go-mail library versions 0.7.0 and below incorrectly handle mail.Address values when passed to SMTP commands, potentially allowing wrong address routing or ESMTP parameter smuggling. This affects applications that accept arbitrary email addresses as input (like web forms), but not those using only static addresses from configuration files. Successful exploitation could lead to email interception or manipulation.

💻 Affected Systems

Products:
  • go-mail library
Versions: 0.7.0 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when applications accept arbitrary email address input; static addresses from config files are safe unless they contain quoted local parts.

📦 What is this software?

Go Mail by Pebcak

View all CVEs affecting Go Mail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept or redirect emails, perform email spoofing, or smuggle malicious ESMTP parameters leading to further server compromise.

🟠

Likely Case

Email misrouting or manipulation when applications accept user-controlled email addresses without proper validation.

🟢

If Mitigated

No impact if applications only use static, non-quoted email addresses from trusted sources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the application to accept user-controlled email addresses; static address usage prevents exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.7.1

Vendor Advisory: https://github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5

Restart Required: No

Instructions:

1. Update go-mail dependency to version 0.7.1 or higher. 2. Run 'go get github.com/wneessen/go-mail@v0.7.1'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all email address inputs to prevent malicious characters.

Restrict Address Sources

all

Only use static email addresses from trusted configuration files, avoiding user input.

🧯 If You Can't Patch

  • Implement strict input validation to reject email addresses with special characters or quoted local parts.
  • Monitor email sending logs for unusual patterns or unexpected address routing.

🔍 How to Verify

Check if Vulnerable:

Check your go.mod file for 'github.com/wneessen/go-mail' version; if version is 0.7.0 or below, you are vulnerable.

Check Version:

grep 'github.com/wneessen/go-mail' go.mod

Verify Fix Applied:

Verify go.mod contains 'github.com/wneessen/go-mail v0.7.1' or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email routing patterns
  • SMTP commands with unexpected parameters
  • Failed email deliveries with address parsing errors

Network Indicators:

  • SMTP traffic with malformed MAIL FROM or RCPT TO commands
  • Unexpected email redirections

SIEM Query:

source="*mail.log*" AND ("MAIL FROM" OR "RCPT TO") AND (error OR failed OR unexpected)

📊 Metadata

CVE ID: CVE-2025-59937
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-88
EPSS Score: 0.07% exploit probability (22th percentile)
Published: September 29, 2025
Last Updated: October 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59937, you might also want to check these:

CVE-2023-6269 10.0

An argument injection vulnerability in Atos Unify OpenScape SBC, Branch, and BCF products allows una...

Same vulnerability type (CWE-88)
CVE-2024-47553 9.9

This vulnerability in Siemens SINEC Security Monitor allows authenticated low-privileged remote atta...

Same vulnerability type (CWE-88)
CVE-2024-39930 9.9

This vulnerability allows authenticated attackers to execute arbitrary code on Gogs servers by explo...

Same vulnerability type (CWE-88)