Email folding function Denial-of-Service


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

The email folding function enters an infinite loop if a header is longer than the policy maximum line length and contains many non-ASCII characters.

Regression introduced in Python 3.6.4.


  • Disclosure date: 2018-05-16 (Python issue bpo-33529 reported)

Fixed In

Python issue

[security] Infinite loop on folding email (_fold_as_ew()) if an header has no spaces.

  • Python issue: bpo-33529
  • Creation date: 2018-05-16
  • Reporter: Rad164


Timeline using the disclosure date 2018-05-16 as reference: