In fact, the vulnerability I found on #Tchap is a problem that comes from the Python email.utils module 😨
The parseaddr method seems very broken, you should not use it at all. Let me show you why. 1/
If you use this method in your codebase, review it asap, especially if you have implemented an email restriction 8/