FKIE_CVE-2025-1795

Vulnerability from fkie_nvd - Published: 2025-02-28 19:15 - Updated: 2025-11-03 21:18
Severity ?
2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.
References
cna@python.orghttps://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48
cna@python.orghttps://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593
cna@python.orghttps://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74
cna@python.orghttps://github.com/python/cpython/commit/a4ef689ce670684ec132204b1cd03720c8e0a03d
cna@python.orghttps://github.com/python/cpython/commit/d4df3c55e4c5513947f907f24766b34d2ae8c090
cna@python.orghttps://github.com/python/cpython/issues/100884
cna@python.orghttps://github.com/python/cpython/pull/100885
cna@python.orghttps://github.com/python/cpython/pull/119099
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers."
    },
    {
      "lang": "es",
      "value": "Durante el plegado de una lista de direcciones, cuando una coma separadora termina en una l\u00ednea plegada y esa l\u00ednea debe codificarse en Unicode, entonces el separador en s\u00ed tambi\u00e9n se codifica en Unicode. El comportamiento esperado es que la coma separadora siga siendo una coma de plan. Esto puede provocar que algunos servidores de correo interpreten mal el encabezado de la direcci\u00f3n."
    }
  ],
  "id": "CVE-2025-1795",
  "lastModified": "2025-11-03T21:18:53.080",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@python.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-28T19:15:36.550",
  "references": [
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/a4ef689ce670684ec132204b1cd03720c8e0a03d"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/commit/d4df3c55e4c5513947f907f24766b34d2ae8c090"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/issues/100884"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/pull/100885"
    },
    {
      "source": "cna@python.org",
      "url": "https://github.com/python/cpython/pull/119099"
    },
    {
      "source": "cna@python.org",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html"
    }
  ],
  "sourceIdentifier": "cna@python.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.