CVE-2023-36632 – This CVE describes a recursion vulnerability in... (How to Fix)

Q: What is the severity of CVE-2023-36632?

CVE-2023-36632 has a CVSS score of 7.5 (HIGH). This CVE describes a recursion vulnerability in Python's legacy email.utils.parseaddr function that allows attackers to cause a RecursionError via crafted input. This can lead to denial of service in applications that use this function to parse untrusted email addresses. Affected are Python applications using the vulnerable function with user-supplied input.

📋 TL;DR

This CVE describes a recursion vulnerability in Python's legacy email.utils.parseaddr function that allows attackers to cause a RecursionError via crafted input. This can lead to denial of service in applications that use this function to parse untrusted email addresses. Affected are Python applications using the vulnerable function with user-supplied input.

💻 Affected Systems

Products:

Python

Versions: Python through 3.11.4

Operating Systems: All operating systems running affected Python versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using email.utils.parseaddr() function with untrusted input. The email package documentation categorizes this as a Legacy API.

📦 What is this software?

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes due to RecursionError, causing denial of service and potential service disruption.

🟠

Likely Case

Denial of service in affected applications when parsing malicious email addresses, requiring application restart.

🟢

If Mitigated

Minimal impact if applications use proper input validation or the recommended email.parser classes instead.

🌐 Internet-Facing: MEDIUM - Applications accepting email input from external users could be DoS'd, but requires specific vulnerable code path.

🏢 Internal Only: LOW - Internal applications are less likely to receive malicious input, but still vulnerable if using the legacy function.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is publicly available. Exploitation requires the application to use parseaddr() on attacker-controlled input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - Python developers consider this expected behavior, not a vulnerability

Vendor Advisory: https://github.com/python/cpython/issues/103800

Restart Required: No

Instructions:

No official patch. Migrate from email.utils.parseaddr() to email.parser.BytesParser or email.parser.Parser as recommended in Python documentation.

🔧 Temporary Workarounds

Migrate to email.parser

all

Replace usage of legacy email.utils.parseaddr() with the recommended email.parser classes

Input validation and length limits

all

Implement input validation and reasonable length limits on email address fields before passing to parseaddr()

🧯 If You Can't Patch

Implement strict input validation and length limits on all email address inputs
Wrap parseaddr() calls in try-except blocks to catch RecursionError and handle gracefully

🔍 How to Verify

Check if Vulnerable:

Check Python code for usage of email.utils.parseaddr() function with user-supplied input

Check Version:

python --version

Verify Fix Applied:

Verify code has been migrated to email.parser classes or implements proper input validation

📡 Detection & Monitoring

Log Indicators:

RecursionError exceptions in application logs
Application crashes or restarts related to email parsing

Network Indicators:

Unusually long email address strings in network traffic

SIEM Query:

source="application.logs" AND "RecursionError" AND "parseaddr"

📊 Metadata

CVE ID: CVE-2023-36632

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: June 25, 2023

Last Updated: November 21, 2024

🔗 References

https://docs.python.org/3/library/email.html Product
https://docs.python.org/3/library/email.utils.html Product
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py Product
https://github.com/python/cpython/issues/103800 Exploit,Issue Tracking
https://docs.python.org/3/library/email.html Product
https://docs.python.org/3/library/email.utils.html Product
https://github.com/Daybreak2019/PoC_python3.9_Vul/blob/main/RecursionError-email.utils.parseaddr.py Product
https://github.com/python/cpython/issues/103800 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36632, you might also want to check these: