Improper input validatin in Python

1) Input validation error

EUVDB-ID: #VU107949

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-1795

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in Lib/email/_header_value_parser.py. A remote attacker can pass specially crafted input to the application and manipulate headers in an email message.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Python: 3.11.0 - 3.13.0a4

CPE2.3

• cpe:2.3:a:python_org:python:3.11.0:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:*:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.2:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.3:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.4:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.5:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.6:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.7:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.11.8:*:*:*:*:*:*:*
• cpe:2.3:a:python_org:python:3.12.0:*:*:*:*:*:*:*

External links

https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48
https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593
https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74
https://github.com/python/cpython/issues/100884
https://github.com/python/cpython/pull/100885
https://github.com/python/cpython/pull/119099
https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.