{"id":"GO-2026-4977","summary":"Quadratic string concatenation in consumePhrase in net/mail","details":"Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.","aliases":["BIT-golang-2026-42499","CVE-2026-42499"],"modified":"2026-05-11T08:11:25.012229180Z","published":"2026-05-07T19:21:40Z","related":["CGA-m28j-j59g-3rp3"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4977"},"references":[{"type":"REPORT","url":"https://go.dev/issue/78987"},{"type":"FIX","url":"https://go.dev/cl/771520"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"path":"net/mail","symbols":["AddressParser.Parse","AddressParser.ParseList","Header.AddressList","ParseAddress","ParseAddressList","addrParser.consumePhrase"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4977.json"}}],"schema_version":"1.7.5"}