PT-2026-39305 · Pypi · Eml-Parser
Sebasteuo
·
Published
2026-05-08
·
Updated
2026-05-26
·
CVE-2026-44844
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
eml parser version 3.0.0
Description
A recursion denial of service exists in the
get raw body text() function within eml parser/parser.py. The function recurses unconditionally for every nested message/rfc822 attachment without a depth limit. An attacker can provide a specially crafted EML file with approximately 120 nested message/rfc822 parts to trigger an unhandled RecursionError, which aborts the parsing process and can crash a worker process. This issue is exploitable in deployments that ingest emails from external senders without basic validation.Recommendations
Update eml parser to a version where recursion depth checks have been implemented for the
get raw body text() function.Exploit
Fix
DoS
Uncontrolled Recursion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eml-Parser