CVE-2024-6923: CPython Email Header Injection Flaw

CVE-2024-6923 Overview

CVE-2024-6923 is a header injection vulnerability affecting CPython's email module. The vulnerability exists because the email module fails to properly quote newlines when serializing email headers. This improper handling allows attackers to inject arbitrary headers when an email message is serialized, potentially enabling email spoofing, phishing attacks, or bypassing email security controls.

Critical Impact
Attackers can inject malicious headers into emails by exploiting improper newline handling in CPython's email serialization, enabling email spoofing and potential security bypass scenarios.

Affected Products

CPython (multiple versions including 3.10.x, 3.12.x, and 3.13.x branches)
Applications using Python's email module for message serialization
Systems running vulnerable CPython versions with email handling functionality

Discovery Timeline

August 1, 2024 - CVE-2024-6923 published to NVD
November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2024-6923

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The core issue stems from insufficient input validation in CPython's email module when processing header values during message serialization. When an email message is serialized for transmission, the module fails to properly escape or quote newline characters (\n or \r\n) present in header values.

Email protocols (RFC 5322) use newlines as header delimiters. By injecting newline characters followed by malicious header content, an attacker can insert arbitrary headers into the serialized email output. This could allow manipulation of routing headers, content-type headers, or other critical email metadata.

Root Cause

The root cause lies in the email generator's failure to validate and sanitize header content before outputting serialized messages. The original implementation did not enforce proper encoding of special characters, particularly newline sequences, that have semantic meaning in the email protocol. Headers containing embedded newlines would be written directly to the output without transformation, allowing the injected content to be interpreted as separate headers by receiving mail systems.

Attack Vector

The attack can be executed over the network when an application accepts user-controlled input for email header fields (such as subject lines, sender names, or custom headers) and uses Python's email module to construct and serialize the message. An attacker provides input containing embedded newline characters followed by malicious header content. When the email is serialized, the injected content becomes part of the actual email headers.

The security patch introduces a verify_generated_headers policy attribute that validates headers during generation:

text

   .. attribute:: verify_generated_headers

      If ``True`` (the default), the generator will raise
      :exc:`~email.errors.HeaderWriteError` instead of writing a header
      that is improperly folded or delimited, such that it would
      be parsed as multiple headers or joined with adjacent data.
      Such headers can be generated by custom header classes or bugs
      in the ``email`` module.

      As it's a security feature, this defaults to ``True`` even in the
      :class:`~email.policy.Compat32` policy.
      For backwards compatible, but unsafe, behavior, it must be set to
      ``False`` explicitly.

Source: CPython GitHub Commit

Detection Methods for CVE-2024-6923

Indicators of Compromise

Unexpected or malformed email headers in outgoing mail logs
Email messages containing multiple instances of headers that should appear only once
User-supplied input appearing verbatim in email header fields with newline sequences
Reports of email spoofing originating from your mail systems

Detection Strategies

Review application code for usage of Python's email module with user-controlled header inputs
Implement logging to detect newline characters (\n, \r\n, \r) in header field inputs before email serialization
Monitor mail server logs for emails with anomalous header structures
Conduct code audits to identify all entry points where user input reaches email header construction

Monitoring Recommendations

Enable verbose logging on mail transfer agents to capture full header details of outgoing messages
Implement input validation alerts that trigger when special characters are detected in email header fields
Monitor for HeaderWriteError exceptions in application logs after patching, which may indicate attempted exploitation
Establish baseline metrics for normal email header patterns to detect anomalies

How to Mitigate CVE-2024-6923

Immediate Actions Required

Update CPython to a patched version (3.10.15+, 3.12.5+, or 3.13+) immediately
Review all application code that uses Python's email module for header construction with user input
Implement server-side input validation to strip or reject newline characters in header values
Enable the verify_generated_headers policy option (enabled by default in patched versions) to detect malformed headers

Patch Information

The Python development team has released security patches across multiple CPython branches. The fix introduces a new HeaderWriteError exception and the verify_generated_headers policy attribute that validates headers during email generation. When enabled (the default), the generator raises an exception instead of writing improperly delimited headers. Patches are available via the following resources:

Workarounds

Implement strict input validation on all user-supplied data destined for email headers, rejecting inputs containing \r or \n characters
Use a sanitization layer that strips or encodes newline sequences before passing values to the email module
If patching is not immediately possible, explicitly set verify_generated_headers=True in email policy configurations
Consider using alternative email libraries with built-in header sanitization if CPython cannot be updated

bash

# Verify Python version includes the security fix
python3 --version
# Should be 3.10.15+, 3.12.5+, or 3.13+

# Check for HeaderWriteError availability (indicates patched version)
python3 -c "from email.errors import HeaderWriteError; print('Patched')"

# Update Python using system package manager (Debian/Ubuntu example)
sudo apt update && sudo apt upgrade python3

CVE-2024-6923 Overview

Critical Impact
Attackers can inject malicious headers into emails by exploiting improper newline handling in CPython's email serialization, enabling email spoofing and potential security bypass scenarios.

Affected Products

CPython (multiple versions including 3.10.x, 3.12.x, and 3.13.x branches)
Applications using Python's email module for message serialization
Systems running vulnerable CPython versions with email handling functionality

Discovery Timeline

August 1, 2024 - CVE-2024-6923 published to NVD
November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2024-6923

Vulnerability Analysis

Root Cause

Attack Vector

The security patch introduces a verify_generated_headers policy attribute that validates headers during generation:

text

   .. attribute:: verify_generated_headers

      If ``True`` (the default), the generator will raise
      :exc:`~email.errors.HeaderWriteError` instead of writing a header
      that is improperly folded or delimited, such that it would
      be parsed as multiple headers or joined with adjacent data.
      Such headers can be generated by custom header classes or bugs
      in the ``email`` module.

      As it's a security feature, this defaults to ``True`` even in the
      :class:`~email.policy.Compat32` policy.
      For backwards compatible, but unsafe, behavior, it must be set to
      ``False`` explicitly.

Source: CPython GitHub Commit

Detection Methods for CVE-2024-6923

Indicators of Compromise

Unexpected or malformed email headers in outgoing mail logs
Email messages containing multiple instances of headers that should appear only once
User-supplied input appearing verbatim in email header fields with newline sequences
Reports of email spoofing originating from your mail systems

Detection Strategies

Review application code for usage of Python's email module with user-controlled header inputs
Implement logging to detect newline characters (\n, \r\n, \r) in header field inputs before email serialization
Monitor mail server logs for emails with anomalous header structures
Conduct code audits to identify all entry points where user input reaches email header construction

Monitoring Recommendations

Enable verbose logging on mail transfer agents to capture full header details of outgoing messages
Implement input validation alerts that trigger when special characters are detected in email header fields
Monitor for HeaderWriteError exceptions in application logs after patching, which may indicate attempted exploitation
Establish baseline metrics for normal email header patterns to detect anomalies

How to Mitigate CVE-2024-6923

Immediate Actions Required

Update CPython to a patched version (3.10.15+, 3.12.5+, or 3.13+) immediately
Review all application code that uses Python's email module for header construction with user input
Implement server-side input validation to strip or reject newline characters in header values
Enable the verify_generated_headers policy option (enabled by default in patched versions) to detect malformed headers

Patch Information

Workarounds

Implement strict input validation on all user-supplied data destined for email headers, rejecting inputs containing \r or \n characters
Use a sanitization layer that strips or encodes newline sequences before passing values to the email module
If patching is not immediately possible, explicitly set verify_generated_headers=True in email policy configurations
Consider using alternative email libraries with built-in header sanitization if CPython cannot be updated

bash

# Verify Python version includes the security fix
python3 --version
# Should be 3.10.15+, 3.12.5+, or 3.13+

# Check for HeaderWriteError availability (indicates patched version)
python3 -c "from email.errors import HeaderWriteError; print('Patched')"

# Update Python using system package manager (Debian/Ubuntu example)
sudo apt update && sudo apt upgrade python3

CVE-2024-6923: CPython Email Header Injection Flaw

CVE-2024-6923 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-6923

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-6923

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-6923

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-6923: CPython Email Header Injection Flaw

CVE-2024-6923 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-6923

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-6923

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-6923

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform