What is CVE-2023-36632?

A high-severity vulnerability in Python's legacy email.utils.parseaddr function can lead to a RecursionError. Organizations must address this issue to mitigate potential impacts.

What is the severity of CVE-2023-36632?

CVE-2023-36632 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2023-36632 | High Vulnerability in Python

The legacy email.utils.parseaddr function in Python through version 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument may originate from untrusted input data, which is expected to contain a name and an email address. Notably, the email.utils.parseaddr function is categorized as a Legacy API in the Python email package documentation. The recommended alternatives are the email.parser.BytesParser or email.parser.Parser classes.

This vulnerability is classified as high severity with a CVSS score of 7.5, reflecting its potential impact on availability as the issue could cause applications to become unresponsive. Although the vendor considers it neither a vulnerability nor a bug due to intended size limits in the email package, the risk to organizations includes application downtime and denial of service.

Organizations should prioritize patching immediately. As of now, there are no known exploits available, reducing the immediate threat level. However, the potential for misuse remains, especially as attackers often seek to exploit legacy systems.

Given the nature of this vulnerability, organizations utilizing affected versions of Python should take proactive measures to validate input data rigorously and employ the recommended alternatives to the legacy function.

For further information on the email package, visit the Python documentation. It is essential for developers to stay updated on secure coding practices to prevent similar vulnerabilities.

Finally, organizations should monitor for any updates from the Python community regarding this issue and take necessary action to safeguard their applications.

The vulnerability was published on June 25, 2023, and has since been marked as modified. Organizations are advised to evaluate their current use of the affected function and transition to safer alternatives as a long-term mitigation strategy.

Vulnerability Details

CVE-2023-36632 affects Python versions up to 3.11.4, where the legacy email.utils.parseaddr function poses a risk of a RecursionError when processing crafted input data. The CVSS score of 7.5 indicates a high severity, primarily affecting availability without compromising confidentiality or integrity.

Technical Analysis

The root cause lies in the misuse of the legacy function, which fails to handle specific input cases correctly, leading to excessive recursion. The attack vector is network-based, with low complexity and no privileges required. User interaction is not necessary, but the impact on availability is significant, causing applications to crash or become unresponsive.

Risk & Impact Analysis

Real-world deployment risk is moderate, as the vulnerability requires specific conditions to exploit. However, given the prevalence of Python applications and potential exposure, organizations must prioritize remediation. The blast radius includes all applications using the legacy email.utils.parseaddr function, especially those handling untrusted input.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected version range includes all Python versions up to 3.11.4. Organizations should verify their environment and ensure they are not using this vulnerable function.

Mitigation & Remediation

Organizations should upgrade to a version of Python that does not include this vulnerability. Additionally, they should refactor their code to utilize the email.parser.BytesParser or email.parser.Parser classes instead of the legacy email.utils.parseaddr. For ongoing protection, consider implementing comprehensive input validation and monitoring for application anomalies.

Detection Guidance

Monitoring logs for unusual recursion errors can help identify attempts to exploit this vulnerability. Additionally, watch for behavioral anomalies in applications that heavily utilize the email package.

AppSecure Threat Intelligence Insight

This vulnerability underscores the importance of maintaining updated libraries and avoiding reliance on legacy APIs. As organizations increasingly adopt Python for various applications, understanding the potential risks associated with these tools is crucial. For more insights into secure coding practices, refer to the best practices in security testing. Leveraging services like penetration testing can also enhance your security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-36632: High Vulnerability in Python