CVE-2025-1795
LOWCPython Email Header Injection via Address List Folding
Title source: llmDescription
During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.
References (10)
Core 10
Core References
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/100884
Issue Tracking patch
https://github.com/python/cpython/pull/100885
Issue Tracking patch
https://github.com/python/cpython/pull/119099
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/
Scores
CVSS v4
2.3
EPSS
0.0057
EPSS Percentile
42.3%
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-116
Status
published
Products (6)
Python Software Foundation/CPython
< 3.10.17
Python Software Foundation/CPython
< 3.9.23
Python Software Foundation/CPython
3.10.0 - 3.10.17
Python Software Foundation/CPython
3.11.0 - 3.11.9
Python Software Foundation/CPython
3.12.0 - 3.12.3
Python Software Foundation/CPython
3.13.0a1 - 3.13.0a5
Published
Feb 28, 2025
Tracked Since
Feb 18, 2026