CVE-2023-36632 Information

Description

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger \RecursionError: maximum recursion depth exceeded while calling a Python object\ via a crafted argument. This argument is plausibly an untrusted value from an application’s input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class.

Reference

https://docs.python.org/3/library/email.utils.html https://docs.python.org/3/library/email.html https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py