Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1.
Published: 2026-05-26
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

eml_parser implements a Python module for parsing EML files. In versions prior to 3.0.1 the method get_raw_body_text() recurses without a depth limit for every nested message/rfc822 attachment. An attacker can supply a crafted EML file containing about 120 nested parts which triggers an unhandled RecursionError and aborts the parsing process. The result is a crash of the worker that processes the file, causing a denial‑of‑service. The weakness is classified as CWE‑674, Uncontrolled Recursion.

Affected Systems

The affected product is GOVCERT‑LU eml_parser, any Python installation using a version earlier than 3.0.1. No additional vendors or product versions are listed in the CNA data.

Risk and Exploitability

The vulnerability has a CVSS score of 6.3, indicating a moderate impact. No EPSS information is available and it is not listed in CISA KEV. Exploitation requires the ability to supply a malicious EML file to the parser; a 12 KB file with around 120 nested message/rfc822 parts is sufficient to cause a crash. The attack is likely to target automated workers that perform email parsing and is best performed in a context where the attacker controls the input.

Generated by OpenCVE AI on May 26, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eml_parser to version 3.0.1 or later to remove the unbounded recursion.
  • If an upgrade cannot be performed immediately, implement input validation or sandboxing to reject or limit the nesting depth of message/rfc822 attachments before invoking the parser.
  • Enforce generic size limits or use a separate process to parse emails so that a crash does not bring down the entire system.

Generated by OpenCVE AI on May 26, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g47v-rwmh-r9f8 eml_parser has recursion DoS via nested message/rfc822 attachments
History

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Govcert-lu
Govcert-lu eml Parser
Vendors & Products Govcert-lu
Govcert-lu eml Parser

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1.
Title eml_parser: Recursion DoS via nested message/rfc822 attachments
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Govcert-lu Eml Parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T19:49:45.723Z

Reserved: 2026-05-07T21:21:48.353Z

Link: CVE-2026-44844

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T21:16:39.163

Modified: 2026-05-26T21:16:39.163

Link: CVE-2026-44844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses