Updated: 2025-08-20 01:50:24.467494
Description:
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.6 | 7.5 | HIGH | Not Vulnerable | 2026-01-27 16:42:48 | ||
| Debian 10 | python | 3.6 | 7.5 | HIGH | Not Vulnerable | 2025-09-05 09:15:51 | ||
| Debian 10 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-09-05 19:58:07 | ||
| Debian 11 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-09-05 19:58:07 | ||
| Debian 11 | python | 3.6 | 7.5 | HIGH | Not Vulnerable | 2025-09-05 09:15:51 | ||
| Debian 12 | python | 3.9 | 7.5 | HIGH | Not Vulnerable | 2025-12-05 12:36:17 | ||
| Debian 12 | python | 3.7 | 7.5 | HIGH | Ignored | 2025-11-21 20:04:55 | ||
| Debian 12 | python | 3.6 | 7.5 | HIGH | Not Vulnerable | 2025-09-05 09:15:51 | ||
| Debian 12 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-09-05 19:58:06 | ||
| Debian 12 | python | 3.8 | 7.5 | HIGH | Ignored | 2025-11-21 20:04:54 |