CVE-2026-44844 - eml_parser has recursion DoS via nested message/rfc822 attachments
CVE-2026-44844 - eml_parser has recursion DoS via nested message/rfc822 attachments
GHSA-g47v-rwmh-r9f8 MEDIUM pip/eml_parser
CVE: CVE-2026-44844
Summary
EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker.
Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.
Details
The vulnerable function is EmlParser.get_raw_body_text() in eml_parser/parser.py. For every part of type multipart/*, the function iterates over its sub-parts; for every sub-part of type message/rfc822, it calls itself recursively on the inner message:
There is no depth parameter and no early-abort. CPython's default sys.recursionlimit is 1000. Each level of message/rfc822 nesting adds approximately 8 frames to the stack (parser code + stdlib _header_value_parser calls), so roughly 120 nested levels exhaust the limit.
The RecursionError is not caught anywhere along the call chain, so it propagates out of decode_email_bytes() and aborts processing of the entire message.
PoC
Environment: Python 3.12.3, eml_parser 3.0.0 (pip install eml_parser==3.0.0), default sys.recursionlimit=1000, Ubuntu 24.04 aarch64. No special configuration of EmlParser, default constructor.
Self-contained reproducer that builds the PoC and triggers the crash:
import eml_parser
def build_poc(depth=124):
inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n"
msg = inner
for i in range(depth):
b = f"B{i}".encode()
msg = (
b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n'
b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n'
) + msg + b'\r\n--' + b + b'--\r\n'
return msg
ep = eml_parser.EmlParser()
ep.decode_email_bytes(build_poc())📌 来源: GitHub-Advisory | 🆔 CVE-2026-44844 | 📅 2026-05-08