One scenario I can imagine is a regex which doesn't properly handle multi-line inputs (quite common issue in ruby[1]). Together with a mail header injection vulnerability, this input could be dangerous:

  user@real.com\nCc:attacker@evil.com

[1]: http://guides.rubyonrails.org/security.html#regular-expressi...

Total speculation, but maybe they're trying to be clever and accept things like "John Doe <john@doe.com>" as being equivalent to "john@doe.com" and end up using a full e-mail parsing library for the matching which is more capable than they realize?

It may send it to multiple addresses. I know in outlook and in .NET libraries, the semicolon is the delimiter for multiple email addresses.

Might have been validated in step1, but the email goes out to the email in a hidden field in step2, etc.