CVE-2025-59937— go-mail 参数注入漏洞

go-mail has insufficient address encoding when passing mail addresses to the SMTP client

go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong address routing or even ESMTP parameter smuggling. For successful exploitation, it is required that the user's code allows for arbitrary mail address input (i. e. through a web form or similar). If only static mail addresses are used (i. e. in a config file) and the mail addresses in use do not consist of quoted local parts, this should not affect users. This issue is fixed in version 0.7.1

N/A

参数注入或修改

go-mail 参数注入漏洞

go-mail是Winni Neessen个人开发者的一个具有邮件发送功能的Golang库。 go-mail 0.7.0及之前版本存在参数注入漏洞，该漏洞源于对mail.Address值处理不当，可能导致错误地址路由或ESMTP参数夹带。

N/A

N/A