CVE-2025-59937: go-mail has insufficient address encoding when passing mail addresses to the SMTP client
(updated )
Due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling.
References
- github.com/advisories/GHSA-wpwj-69cm-q9c5
- github.com/wneessen/go-mail
- github.com/wneessen/go-mail/commit/42e92cfe027be04aff72921adb0f72f11d517479
- github.com/wneessen/go-mail/issues/495
- github.com/wneessen/go-mail/pull/496
- github.com/wneessen/go-mail/security/advisories/GHSA-wpwj-69cm-q9c5
- nvd.nist.gov/vuln/detail/CVE-2025-59937
Code Behaviors & Features
Detect and mitigate CVE-2025-59937 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →