CVE-2025-59937 is a high-severity vulnerability affecting the go-mail library (versions 0.7.0 and below), a Go language library used for sending emails. The issue stems from improper neutralization of argument delimiters (CWE-88) in the handling of mail.Address values when these are passed to SMTP commands MAIL FROM or RCPT TO. Specifically, the library incorrectly processes sender or recipient email addresses, which can lead to wrong address routing or ESMTP parameter smuggling. This means that an attacker who can supply arbitrary email addresses—commonly via user input such as web forms—could manipulate SMTP command parameters, potentially causing emails to be sent to unintended recipients or injecting malicious SMTP parameters. The vulnerability does not affect users who only use static email addresses without quoted local parts, as these are not susceptible to the injection vector. The flaw was fixed in version 0.7.1 of go-mail. The CVSS 4.0 score is 8.2 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on integrity due to possible mail misrouting. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk in environments where user-supplied email addresses are processed dynamically.

For European organizations, this vulnerability could have serious consequences, especially for those relying on go-mail for email communications that incorporate user-supplied addresses, such as customer support portals, automated notification systems, or marketing platforms. Exploitation could lead to misdelivery of sensitive emails, potentially exposing confidential information to unauthorized parties, violating GDPR and other data protection regulations. Additionally, ESMTP parameter smuggling could be leveraged to bypass email filtering or inject malicious commands, increasing the risk of phishing or spam campaigns originating from legitimate infrastructure. This undermines the integrity and trustworthiness of organizational email systems, potentially damaging reputation and leading to regulatory penalties. The vulnerability is particularly critical in sectors handling sensitive personal or financial data, such as finance, healthcare, and government institutions within Europe.

European organizations using go-mail should immediately upgrade to version 0.7.1 or later to apply the official fix. Beyond patching, organizations should implement strict validation and sanitization of all user-supplied email addresses before passing them to the mail library, ensuring that inputs conform to expected formats and do not contain special characters that could be used for injection. Employing allowlists for email domains or addresses where feasible can reduce risk. Additionally, monitoring SMTP traffic for anomalous commands or unexpected parameters can help detect exploitation attempts. Organizations should also review their email sending workflows to minimize reliance on dynamic user input for critical SMTP commands. Finally, conducting security code reviews and penetration testing focused on email injection vectors will help identify residual risks.