When "mime".WordDecoder.DecodeHeader fails to decode the contents of an encoded-word, it preserves the undecoded input in its output. For example, DecodeHeader("=?X?B?foo?=") returns "=?X?B?foo?=" because "foo" is not valid base-64. This part is fine, the function is documented as doing this.
When failing to decode an encoded word, DecodeHeader consumes the initial =? of the word (appending it to the output) and then resumes parsing. This is quadratic (or nearly so) when processing a malicious input consisting of many "=?x?y?" prefixes followed by a single terminal "?=".
We've designated this a PUBLIC track security issue and CVE-2026-42504.
Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.
When
"mime".WordDecoder.DecodeHeaderfails to decode the contents of an encoded-word, it preserves the undecoded input in its output. For example,DecodeHeader("=?X?B?foo?=")returns"=?X?B?foo?="because "foo" is not valid base-64. This part is fine, the function is documented as doing this.When failing to decode an encoded word,
DecodeHeaderconsumes the initial=?of the word (appending it to the output) and then resumes parsing. This is quadratic (or nearly so) when processing a malicious input consisting of many "=?x?y?" prefixes followed by a single terminal "?=".We've designated this a PUBLIC track security issue and CVE-2026-42504.
Thanks to p4p3r (https://hackerone.com/p4p3r_hak) for reporting this issue.