{"url":"http://public2.vulnerablecode.io/api/packages/975993?format=json","purl":"pkg:pypi/eml-parser@1.4","type":"pypi","namespace":"","name":"eml-parser","version":"1.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.0.1","latest_non_vulnerable_version":"3.0.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95078?format=json","vulnerability_id":"VCID-eu61-61z3-2bhx","summary":"eml_parser has recursion DoS via nested message/rfc822 attachments\n### Summary\n\n`EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker.\nThough this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.\n\n### Details\n\nThe vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message:\n\nThere is no depth parameter and no early-abort. CPython's default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit.\n\nThe `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message.\n\n\n### PoC\n\nEnvironment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor.\n\nSelf-contained reproducer that builds the PoC and triggers the crash:\n\n```python\nimport eml_parser\n\ndef build_poc(depth=124):\n    inner = b\"From: a@a\\r\\nTo: b@b\\r\\nContent-Type: text/plain\\r\\n\\r\\n.\\r\\n\"\n    msg = inner\n    for i in range(depth):\n        b = f\"B{i}\".encode()\n        msg = (\n            b'Content-Type: multipart/mixed; boundary=\"' + b + b'\"\\r\\n\\r\\n'\n            b'--' + b + b'\\r\\nContent-Type: message/rfc822\\r\\n\\r\\n'\n        ) + msg + b'\\r\\n--' + b + b'--\\r\\n'\n    return msg\n\nep = eml_parser.EmlParser()\nep.decode_email_bytes(build_poc())\n# RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64).\n```\n\nNote that the suggested code does not produce an RFC compliant message.\nResulting EML payload size: 12,369 bytes.\nSHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8`\n\nThe crash is deterministic on a stock install. No network, no special headers, no large attachments.\n\n### Impact\n\nDenial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`.\n\nA single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop.\n\nThe vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation.\nConsidering that email messages pass through a mail-server which does some kind of validation, messages as produced by the  *build_poc* function would not reach eml_parser.\nNonetheless recursion depth checks have been implemented to handle the described issue.\n\n\n### Reporter\n\nSebastián Alba Vives (`@Sebasteuo`)\nIndependent security researcher, Senior AppSec Consultant\nLinkedIn: https://www.linkedin.com/in/sebastian-alba\nEmail: sebasjosue84@gmail.com\nPGP: `0D1A E4C2 CFC8 894F 19EA  DA24 45CD CA33 2CF8 31F4`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44844","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0588","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05863","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05839","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05883","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.0589","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44844"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/GOVCERT-LU/eml_parser"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:41:30Z/"}],"url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44844","reference_id":"CVE-2026-44844","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44844"},{"reference_url":"https://github.com/advisories/GHSA-g47v-rwmh-r9f8","reference_id":"GHSA-g47v-rwmh-r9f8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g47v-rwmh-r9f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118533?format=json","purl":"pkg:pypi/eml-parser@3.0.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/eml-parser@3.0.1"}],"aliases":["CVE-2026-44844","GHSA-g47v-rwmh-r9f8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eu61-61z3-2bhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50710?format=json","vulnerability_id":"VCID-yjky-4vey-zqhj","summary":"eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write\nThe official example script `examples/recursively_extract_attachments.py` contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29780","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00587","published_at":"2026-06-09T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00584","published_at":"2026-06-08T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00588","published_at":"2026-06-07T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00591","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-29780"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/GOVCERT-LU/eml_parser"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:36Z/"}],"url":"https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser/issues/88","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:36Z/"}],"url":"https://github.com/GOVCERT-LU/eml_parser/issues/88"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29780","reference_id":"CVE-2026-29780","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29780"},{"reference_url":"https://github.com/advisories/GHSA-389r-rccm-h3h5","reference_id":"GHSA-389r-rccm-h3h5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-389r-rccm-h3h5"},{"reference_url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5","reference_id":"GHSA-389r-rccm-h3h5","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:36Z/"}],"url":"https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74487?format=json","purl":"pkg:pypi/eml-parser@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-eu61-61z3-2bhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/eml-parser@2.0.1"}],"aliases":["CVE-2026-29780","GHSA-389r-rccm-h3h5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjky-4vey-zqhj"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/eml-parser@1.4"}