go-mail Incorrect Address Handling in SMTP Commands Vulnerability

A vulnerability exists in the go-mail library, specifically in versions prior to 0.7.1, due to improper handling of mail addresses when they are passed to the SMTP client's MAIL FROM or RCPT TO commands. This flaw can lead to misrouting of email or ESMTP parameter smuggling. The issue arises because the library uses the raw address value instead of the properly formatted string, allowing for injection of additional SMTP commands. Exploitation requires the ability to input arbitrary email addresses, such as through a web form.

Impact

This vulnerability can cause emails to be misrouted to incorrect domains, bypassing filters and anti-spam measures. It also violates RFC 5321/5322 standards, potentially leading to compliance issues.

Reproduction

To reproduce this vulnerability, send an email using the go-mail library version 0.7.0 or earlier. Include a recipient address with a quoted local part that contains an embedded '@' and ESMTP parameters, such as 'ORCPT=admin@admin.com', which will be misrouted or improperly processed by the SMTP server.

Remediation

Users can update to go-mail version 0.7.1, which addresses this vulnerability by correcting the way mail addresses are parsed and formatted for SMTP commands.