CVE-2023-36632: 
NixOS vulnerability analysis and mitigation

The legacy email.utils.parseaddr function in Python through version 3.11.4 contains a vulnerability that allows attackers to trigger a 'RecursionError: maximum recursion depth exceeded while calling a Python object' via a crafted argument. This vulnerability (CVE-2023-36632) was discovered in June 2023 and affects applications that process untrusted input data intended to contain names and email addresses. Notably, email.utils.parseaddr is categorized as a Legacy API in Python's email package documentation (Python Docs).

The vulnerability occurs in the email.utils.parseaddr function's parsing mechanism when processing specially crafted input strings. When the function encounters certain malformed inputs, it enters a recursive loop that eventually exceeds Python's maximum recursion depth. The vulnerability has been assigned a CVSS 3.1 Base Score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L (NVD).

The successful exploitation of this vulnerability results in a partial denial of service condition for the affected application. When triggered, the application will raise a RecursionError, potentially disrupting the processing of email addresses and related functionality (NVD).

Applications should use the email.parser.BytesParser or email.parser.Parser class instead of the legacy email.utils.parseaddr function. The vendor has noted that this is neither a vulnerability nor a bug, as the email package is intended to have size limits and throw exceptions when limits are exceeded (NVD).