net/mail: quadratic string concatenation in consumePhrase (original) (raw)

Pathological inputs could cause DoS through consumePhrase
when parsing an email address according to RFC 5322.

This is CVE-2026-42499 and Go issue https://go.dev/issue/78987.

This was a PUBLIC track issue, tracked in http://b/502123043.