net/mail: quadratic string concatenation in consumePhrase

[thatnealpatel]

Pathological inputs could cause DoS through consumePhrase
when parsing an email address according to RFC 5322.

This is CVE-2026-42499 and Go issue https://go.dev/issue/78987.

---

This was a PUBLIC track issue, tracked in http://b/502123043.

[gabyhelp]

Related Issues

• net/mail: ParseAddress: quadratic complexity in consumeComment #78566
• net/mail: excessive CPU consumption in ParseAddress (CVE-2025-61725) #75680 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/771145 mentions this issue: net/mail: fix O(n²) quadratic string concat in consumePhrase (CVE-2026-42499)

[gopherbot]

Change https://go.dev/cl/771520 mentions this issue: net/mail: fix quadratic consumePhrase behavior

[nicholashusin]

@gopherbot please open backport issues for this security fix

[gopherbot]

Backport issue(s) opened: #79003 (for 1.25), #79004 (for 1.26).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.