email.utils.parseaddr mistakenly parse an email


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

email.utils.parseaddr wrongly parse the From field of an email.

email.utils.parseaddr('John Doe <>') returns ('', 'John Doe'), whereas it should return ('John Doe', '').


  • Disclosure date: 2018-07-19 (Python issue bpo-34155 reported)

Fixed In

Python issue

[CVE-2019-16056] email.utils.parseaddr mistakenly parse an email.

  • Python issue: bpo-34155
  • Creation date: 2018-07-19
  • Reporter: Cyril Nicodème


An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.


Timeline using the disclosure date 2018-07-19 as reference: