net/textproto: arbitrary input are included as part of error without escaping

[nicholashusin]

net/textproto puts arbitrary input without escaping as part of its error. As a result, downstream users of the package, such as net/http and net/smtp, might see attacker-controlled text injected into their errors. We expect this to have a relatively limited impact (e.g. something that does not look like an error shows up in a victim's logs due to newlines being injected into the error). Therefore, we are treating this as a PUBLIC track issue, per the Go Security Policy (https://go.dev/security/policy).

This is CVE-2026-42507.

[gabyhelp]

Related Issues

• net/smtp: client returns server-controlled response text in errors #79345
• net/http: client should not include raw header values in error messages #43631 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/777060 mentions this issue: net/textproto: escape arbitrary input when including them in errors

[nicholashusin]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #79425 (for 1.25), #79426 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.