Updated: 2025-08-20 01:50:24.467494
Description:
The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 13 | python | 3.9 | 7.5 | HIGH | Not Vulnerable | 2025-12-05 12:36:16 | ||
| Debian 13 | python | 3.6 | 7.5 | HIGH | Not Vulnerable | 2025-09-24 22:29:57 | ||
| Debian 13 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-10-23 23:54:25 | ||
| Debian 13 | python | 3.8 | 7.5 | HIGH | Ignored | 2025-11-21 20:04:56 | ||
| Debian 13 | python | 3.7 | 7.5 | HIGH | Ignored | 2025-11-21 20:04:57 | ||
| EL 10 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-10-14 06:20:08 | We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnera... | |
| EL 10 | python | 3.6 | 7.5 | HIGH | Ignored | 2025-10-30 00:33:03 | We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnera... | |
| EL 7 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-07-22 00:53:05 | We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnera... | |
| EL 7 | python | 3.6 | 7.5 | HIGH | Ignored | 2025-05-24 05:23:30 | We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnera... | |
| EL 8 | python | 2.7 | 7.5 | HIGH | Ignored | 2025-07-22 00:53:05 | We've reasoned not to fix this CVE since project's upstream does not consider it as a bug or vulnera... |