CVE-2018-12558
Description
The Email::Address Perl module up to version 1.909 is vulnerable to algorithmic complexity DoS via crafted input containing 30 form-feed characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Email::Address Perl module up to version 1.909 is vulnerable to algorithmic complexity DoS via crafted input containing 30 form-feed characters.
Vulnerability
The parse() method in the Email::Address Perl module (versions through 1.909) is vulnerable to algorithmic complexity due to the use of regular expressions that can exhibit exponential backtracking. Specially crafted input containing 30 form-feed characters ("\f") causes the parser to consume excessive CPU time, leading to a denial of service [1].
Exploitation
An attacker can exploit this vulnerability by sending an email with a crafted From, To, or Cc header containing 30 consecutive form-feed characters. Any application that uses Email::Address->parse() on untrusted email headers will be affected. No authentication or special privileges are required; the attacker only needs to deliver the malicious email to the target system.
Impact
Successful exploitation results in a denial of service (CPU exhaustion) on the system parsing the email. The service may become unresponsive or crash, but no data confidentiality or integrity is compromised.
Mitigation
As of the disclosure date (June 2018), no fixed version of Email::Address has been released. Users should monitor for updates or implement input validation to reject or sanitize email headers containing excessive form-feed characters. Alternatively, consider using a different email address parsing library that is not vulnerable to this issue.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <=1.909
- osv-coords3 versionspkg:rpm/opensuse/perl-Email-Address&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/perl-Email-Address&distro=openSUSE%20Tumbleweedpkg:rpm/suse/perl-Email-Address&distro=SUSE%20Package%20Hub%2015
< 1.912-bp150.3.3.1+ 2 more
- (no CPE)range: < 1.912-bp150.3.3.1
- (no CPE)range: < 1.913-1.1
- (no CPE)range: < 1.912-bp150.3.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- lists.opensuse.org/opensuse-security-announce/2019-04/msg00012.htmlmitrevendor-advisoryx_refsource_SUSE
- www.openwall.com/lists/oss-security/2018/06/19/3mitremailing-listx_refsource_MLIST
- bugs.debian.org/cgi-bin/bugreport.cgimitrex_refsource_MISC
News mentions
0No linked articles in our index yet.