CVE-2023-36632

Name of the Vulnerable Software and Affected Versions Python versions through 3.11.4

Description The legacy email.utils.parseaddr function in Python allows attackers to trigger a "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. The email package is intended to have size limits and to throw an exception when limits are exceeded. Applications should instead use the email.parser.BytesParser or email.parser.Parser class.

Recommendations For Python versions through 3.11.4, consider using the email.parser.BytesParser or email.parser.Parser class instead of the legacy email.utils.parseaddr function to mitigate the risk of exploitation. As a temporary workaround, consider restricting the input data to prevent crafted arguments from triggering the RecursionError. At the moment, there is no information about a newer version that contains a fix for this vulnerability.