eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write
Description
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
eml_parser official example script before 2.0.1 has a path traversal flaw allowing arbitrary file write via crafted email attachment filenames.
Vulnerability
Overview
eml_parser is a Python module for parsing .eml files. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contained a path traversal vulnerability that could lead to arbitrary file write outside the intended output directory. The root cause is the direct use of attacker-controlled attachment filenames (from Content-Disposition headers) to construct output file paths without any sanitization, as shown in the vulnerable code at lines 61–64 [3].
Exploitation
Details
An attacker can craft a malicious email with an attachment whose filename includes path traversal sequences such as ../outside/pwned.txt. When a victim runs the example script with this email, the script writes the attachment content to the resolved path, escaping the intended output directory. No authentication or special privileges are required beyond the ability to supply the email file to the script [1][3]. The proof-of-concept demonstrates writing to ../outside/pwned.txt instead of the intended ./safe/pwned.txt [3].
Impact
Successful exploitation allows an attacker to write arbitrary file content to any location the script's process can write. Potential attack scenarios include cron job injection via ../../etc/cron.d/backdoor, web shell upload to ../../var/www/html/shell.php, or SSH key injection into ../../home/user/.ssh/authorized_keys [3]. The vulnerability is limited to the example script and does not affect the core library, but the script is part of the official repository and often adapted for production use [1][3].
Mitigation
The issue has been patched in eml_parser version 2.0.1. The fix (commit 99af03a) resolves paths with pathlib.Path(...).resolve() and extracts only the filename component using .name, preventing traversal [4]. Users should update to version 2.0.1 or later, or avoid using the example script without applying equivalent sanitization [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
eml-parserPyPI | < 2.0.1 | 2.0.1 |
Affected products
2- Range: <2.0.1
- GOVCERT-LU/eml_parserv5Range: < 2.0.1
Patches
11 file changed · +11 −3
examples/recursively_extract_attachments.py+11 −3 modified@@ -35,8 +35,8 @@ def main(): options = parser.parse_args() - scan_path = pathlib.Path(options.path) - out_path = pathlib.Path(options.outpath) + scan_path = pathlib.Path(options.path).resolve() + out_path = pathlib.Path(options.outpath).resolve() if not scan_path.is_dir(): raise SystemExit('Specified path is not accessible') @@ -53,8 +53,16 @@ def main(): m = ep.decode_email(k) if 'attachment' in m: + attachment_counter = 0 + for a in m['attachment']: - out_filepath = out_path / a['filename'] + attachment_filename = pathlib.Path(a['filename']).name + + out_filepath = out_path / attachment_filename + + if out_filepath.is_dir(): + out_filepath = out_path / f'attachment_{attachment_counter}' + attachment_counter += 1 print(f'\tWriting attachment: {out_filepath}') with out_filepath.open('wb') as a_out:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-389r-rccm-h3h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29780ghsaADVISORY
- github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9ghsax_refsource_MISCWEB
- github.com/GOVCERT-LU/eml_parser/issues/88ghsax_refsource_MISCWEB
- github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.