CVE-2026-29780

Name of the Vulnerable Software and Affected Versions eml parser versions prior to 2.0.1

Description The eml parser module, used for parsing eml files, contains a path traversal issue in the example script examples/recursively extract attachments.py. This allows for arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without sanitization. An attacker-controlled filename can escape the target directory by crafting email attachment headers, such as setting the Content-Disposition header with a filename like ../outside/pwned.txt. The vulnerable code is located in lines 61-64 of the examples/recursively extract attachments.py script, where the a['filename'] variable is used directly to construct the output file path. The vulnerability is limited to the example script and does not affect the core eml parser library. Potential attack scenarios include cron job injection, web shell upload, and SSH key injection. The vulnerable parameter is a['filename'].

Recommendations Versions prior to 2.0.1 should be updated to version 2.0.1 or later. As a temporary workaround, implement path normalization and boundary validation before writing files. Specifically, use os.path.basename() to extract the filename and ensure the resulting path is relative to the intended output directory using out filepath.resolve().is relative to(out path.resolve()).