CVE-2025-1795 Overview
CVE-2025-1795 is an Improper Encoding or Escaping of Output vulnerability in Python's email library. During address list folding, when a separating comma ends up on a folded line that needs to be unicode-encoded, the separator itself is incorrectly unicode-encoded. The expected behavior is that the separating comma remains a plain comma character. This improper encoding can result in address headers being misinterpreted by some mail servers, potentially causing email delivery issues or security implications in email-handling applications.
Critical Impact
Mail servers may misinterpret encoded address headers, potentially leading to emails being delivered to unintended recipients or failing to deliver entirely. Applications relying on Python's email library for address parsing and formatting may produce malformed headers.
Affected Products
- Python CPython (multiple versions)
- Debian Linux (via Python packages)
- Applications using Python's email module for header value parsing
Discovery Timeline
- 2023-01-13 - Issue initially reported via GitHub Issue #100884
- 2025-02-28 - CVE-2025-1795 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-1795
Vulnerability Analysis
The vulnerability exists in Python's email/_header_value_parser.py module, which handles the parsing and encoding of email headers. When processing address lists that contain multiple recipients separated by commas, the library performs "folding" to ensure headers comply with line length requirements specified in RFC 5322.
The issue occurs during the encoding process when a list separator (comma) appears on a line that requires unicode encoding. The ListSeparator terminal, defined as ValueTerminal(',', 'list-separator'), was being processed through the encoded-word transformation when it should have remained as a literal ASCII comma.
This behavior violates RFC 2047, which specifies that certain structural characters in email headers must not be encoded. When a comma separator is incorrectly encoded (e.g., as =?utf-8?q?=2C?=), receiving mail servers may fail to recognize it as a delimiter, potentially concatenating addresses or misrouting messages.
Root Cause
The root cause is the missing as_ew_allowed = False attribute on the ListSeparator terminal in the header value parser. Without this flag, the encoding logic would include the comma separator in encoded-word sequences when the surrounding content required unicode encoding. The as_ew_allowed attribute controls whether a terminal can be included in an RFC 2047 encoded-word, and list separators should explicitly be excluded.
Attack Vector
This is a network-accessible vulnerability that requires specific conditions to trigger:
- An attacker crafts email addresses containing unicode characters that, when combined with other recipients, cause the comma separator to fall on a folded line
- The Python email library encodes the entire line including the separator
- The malformed header is sent to a mail server that interprets the encoded comma as part of an address rather than a delimiter
While exploitation requires low privileges and specific conditions, the impact is limited to potential information disclosure through misdirected emails or denial of service through delivery failures.
# Security patch from Lib/email/_header_value_parser.py
# Source: https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48
# up other parse trees. Maybe should have tests for that, too.
DOT = ValueTerminal('.', 'dot')
ListSeparator = ValueTerminal(',', 'list-separator')
+ListSeparator.as_ew_allowed = False
RouteComponentMarker = ValueTerminal('@', 'route-component-marker')
#
The fix adds ListSeparator.as_ew_allowed = False to explicitly prevent the comma separator from being included in encoded-word sequences, ensuring it always remains as a plain ASCII comma in the output.
Detection Methods for CVE-2025-1795
Indicators of Compromise
- Email headers containing encoded comma separators in address lists (e.g., =?utf-8?q?=2C?= instead of plain ,)
- Mail server logs showing parsing errors for recipient lists with unicode content
- Bounce messages indicating malformed headers from downstream mail servers
- Unexpected email delivery behavior when sending to multiple recipients with international characters
Detection Strategies
- Monitor outbound email headers for encoded structural characters (commas, semicolons) that should remain unencoded
- Implement regex patterns to detect RFC 2047 encoded-word sequences containing encoded ASCII delimiters
- Review application logs for email delivery failures related to header parsing
- Audit Python environments to identify vulnerable versions of the email module
Monitoring Recommendations
- Deploy email header validation checks in mail transfer agents to flag suspicious encoding patterns
- Configure logging to capture raw email headers for forensic analysis
- Monitor mail queue sizes for unexpected growth that could indicate delivery failures
- Set up alerts for increased bounce rates that may indicate header parsing issues
How to Mitigate CVE-2025-1795
Immediate Actions Required
- Update Python to a patched version that includes the fix for email/_header_value_parser.py
- Review applications using Python's email library for address list handling
- Validate outbound email headers in development and staging environments
- Consider implementing application-level validation of email headers before sending
Patch Information
The vulnerability has been addressed through commits to multiple Python branches. The fix sets ListSeparator.as_ew_allowed = False to prevent the comma separator from being unicode-encoded during header folding.
Relevant patches are available via:
- Python Security Announcement
- Debian LTS Security Announcement
- GitHub Pull Request #100885
- GitHub Pull Request #119099
Workarounds
- Implement custom header encoding logic that preserves list separators as literal characters
- Pre-validate email address lists to ensure commas are not positioned on folding boundaries
- Use ASCII-only email addresses where possible to avoid triggering unicode encoding
- Add post-processing checks to verify headers before transmission to mail servers
# Verify Python version and check for vulnerable email module
python3 --version
python3 -c "import email._header_value_parser as hvp; print('as_ew_allowed' in dir(hvp.ListSeparator))"
# Update Python via system package manager (Debian/Ubuntu)
sudo apt update && sudo apt upgrade python3
# For pip-based environments, ensure latest Python patch level
pyenv update && pyenv install --list | grep -E "^ 3\.(11|12|13)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
