CVE-2025-1795: Mishandling of comma during folding and unicode-encoding of email headers

2.3 CVSS

Description

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

Classification

CVE ID: CVE-2025-1795

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor: Python Software Foundation

Product: CPython

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-03-29 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1795
https://github.com/python/cpython/issues/100884
https://github.com/python/cpython/pull/100885
https://github.com/python/cpython/pull/119099
https://github.com/python/cpython/commit/09fab93c3d857496c0bd162797fab816c311ee48
https://github.com/python/cpython/commit/70754d21c288535e86070ca7a6e90dcb670b8593
https://github.com/python/cpython/commit/9148b77e0af91cdacaa7fe3dfac09635c3fe9a74
https://mail.python.org/archives/list/[email protected]/thread/MB62IZMEC3UM6SGHP5LET5JX2Y7H4ZUR/

Timeline

2025-02-28 20:40:19 UTC
CVE

Mishandling of comma during folding and unicode-encoding of email headers
2025-03-22 13:15:36 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python311 (SUSE-SU-2025:0982-1)
2025-03-22 13:15:37 UTC
Tenable Plugins

SUSE SLES15 Security Update : python311 (SUSE-SU-2025:0981-1)
2025-04-14 06:00:43 UTC
Tenable Plugins

CBL Mariner 2.0 Security Update: python3 (CVE-2025-1795)