Email header injection in Address objects


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

It is possible to inject email headers using CR or LF character.

The fix disallows CR and LF characters in email.headerregistry.Address arguments to guard against header injection attacks.


  • Disclosure date: 2019-12-17 (Python issue bpo-39073 reported)

Fixed In

Python issue

[security] email module incorrect handling of CR and LF newline characters in Address objects.

  • Python issue: bpo-39073
  • Creation date: 2019-12-17
  • Reporter: Jasper Spaans


Timeline using the disclosure date 2019-12-17 as reference: