PatchSiren cyber security CVE debrief
CVE-2023-27043 Python CVE debrief
CVE-2023-27043 is a Python email-module parsing flaw that can cause applications to trust the wrong part of an RFC 2822 header as the addr-spec. In systems that grant access only after confirming an address belongs to an approved domain, this can let a crafted address slip past domain-based signup or verification checks.
- Vendor
- Python
- Product
- CVE-2023-27043
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-04-19
- Original CVE updated
- 2026-05-12
- Advisory published
- 2023-04-19
- Advisory updated
- 2026-05-12
Who should care
Teams running internet-facing Python applications that use the standard library email parser for account creation, email verification, or domain allowlisting should review this immediately. Application security, identity, and platform teams responsible for Python runtime upgrades are also in scope.
Technical summary
The issue is in Python’s email/_parseaddr.py path. When parsing email addresses that contain a special character, the parser can identify the wrong portion of an RFC 2822 header as the addr-spec value. If application logic uses that parsed value to enforce a trusted-domain rule, the validation decision can be wrong and allow an authorization bypass. NVD lists affected Python ranges as 2.7.18; 3.0 through 3.8.19; 3.9.0 through 3.9.19; 3.10.0 through 3.10.14; 3.11.0 through 3.11.9; and 3.12.0 through 3.12.5.
Defensive priority
Medium overall, but high priority for any application that uses Python email parsing as part of authentication, signup gating, or domain-based trust decisions.
Recommended defensive actions
- Upgrade Python to a version outside the vulnerable ranges listed by NVD, using the fixed release lines in your environment as the target for remediation.
- Audit code paths that parse email addresses and then make access-control decisions, especially domain allowlists such as @company.example.com signup rules.
- Avoid relying on the stdlib parser alone for trust decisions; add explicit validation of the canonical email address and domain before granting access.
- Review existing accounts or signups created through affected workflows for anomalies and re-verify any access decisions that depended on parsed email values.
Evidence notes
This debrief is based on the supplied NVD CVE record, which includes the CVSS vector, affected version ranges, CWE classification, and links to the Python advisory and issue tracker. The publicly described impact is an authorization or validation bypass in applications that depend on email-domain checks; the supplied corpus does not indicate code execution or availability impact.
Official resources
-
CVE-2023-27043 CVE record
CVE.org
-
CVE-2023-27043 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed on 2023-04-19. The supplied corpus shows no CISA KEV entry for this CVE, and the NVD record was last modified on 2026-05-12.