GHSA-389R-RCCM-H3H5

Vulnerability from github – Published: 2026-03-05 00:16 – Updated: 2026-03-09 15:49
VLAI
Summary
eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write
Details

Summary

The official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory.

Details

File: examples/recursively_extract_attachments.py Lines: 61–64

for a in m['attachment']:
    out_filepath = out_path / a['filename']  # No sanitization
    print(f'\tWriting attachment: {out_filepath}')
    with out_filepath.open('wb') as a_out:
        a_out.write(base64.b64decode(a['raw']))

The value a['filename'] is attacker-controlled via crafted email attachment headers:

Content-Disposition: attachment; filename="../outside/pwned.txt"

No path normalization or boundary validation is performed before writing.

PoC

  1. Create a malicious .eml file:
Content-Disposition: attachment; filename="../outside/pwned.txt"
  1. Run the example script:
python recursively_extract_attachments.py -p ./emails -o ./safe
  1. Expected: ./safe/pwned.txt
  2. Actual: ./outside/pwned.txt ← written outside the intended directory

Verified on Kali Linux with eml_parser installed via pip in a virtual environment.

Impact

This vulnerability is limited to the example script only and does not affect the core eml_parser library. However, as the script is part of the official repository and is likely to be adapted for production use, an attacker supplying a crafted email could achieve arbitrary file write within the execution context.

Potential attack scenarios include: - Cron job injection: filename="../../etc/cron.d/backdoor" - Web shell upload: filename="../../var/www/html/shell.php" - SSH key injection: filename="../../home/user/.ssh/authorized_keys"

Recommended Fix

import os.path

for a in m['attachment']:
    filename = os.path.basename(a['filename'])
    out_filepath = out_path / filename

    if not out_filepath.resolve().is_relative_to(out_path.resolve()):
        print(f'[!] Skipping suspicious filename: {a["filename"]}')
        continue

    print(f'\tWriting attachment: {out_filepath}')
    with out_filepath.open('wb') as a_out:
        a_out.write(base64.b64decode(a['raw']))
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "eml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29780"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:16:57Z",
    "nvd_published_at": "2026-03-07T16:15:55Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe official example script `examples/recursively_extract_attachments.py` contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory.\n\n### Details\nFile: `examples/recursively_extract_attachments.py`\nLines: 61\u201364\n```python\nfor a in m[\u0027attachment\u0027]:\n    out_filepath = out_path / a[\u0027filename\u0027]  # No sanitization\n    print(f\u0027\\tWriting attachment: {out_filepath}\u0027)\n    with out_filepath.open(\u0027wb\u0027) as a_out:\n        a_out.write(base64.b64decode(a[\u0027raw\u0027]))\n```\n\nThe value `a[\u0027filename\u0027]` is attacker-controlled via crafted email attachment headers:\n```\nContent-Disposition: attachment; filename=\"../outside/pwned.txt\"\n```\n\nNo path normalization or boundary validation is performed before writing.\n\n### PoC\n1. Create a malicious `.eml` file:\n```\nContent-Disposition: attachment; filename=\"../outside/pwned.txt\"\n```\n2. Run the example script:\n```\npython recursively_extract_attachments.py -p ./emails -o ./safe\n```\n3. Expected: `./safe/pwned.txt`  \n4. Actual: `./outside/pwned.txt` \u2190 written outside the intended directory\n\nVerified on Kali Linux with eml_parser installed via pip in a virtual environment.\n\n### Impact\nThis vulnerability is limited to the **example script only** and does not affect the core eml_parser library. However, as the script is part of the official repository and is likely to be adapted for production use, an attacker supplying a crafted email could achieve arbitrary file write within the execution context.\n\nPotential attack scenarios include:\n- Cron job injection: `filename=\"../../etc/cron.d/backdoor\"`\n- Web shell upload: `filename=\"../../var/www/html/shell.php\"`\n- SSH key injection: `filename=\"../../home/user/.ssh/authorized_keys\"`\n\n### Recommended Fix\n```python\nimport os.path\n\nfor a in m[\u0027attachment\u0027]:\n    filename = os.path.basename(a[\u0027filename\u0027])\n    out_filepath = out_path / filename\n\n    if not out_filepath.resolve().is_relative_to(out_path.resolve()):\n        print(f\u0027[!] Skipping suspicious filename: {a[\"filename\"]}\u0027)\n        continue\n\n    print(f\u0027\\tWriting attachment: {out_filepath}\u0027)\n    with out_filepath.open(\u0027wb\u0027) as a_out:\n        a_out.write(base64.b64decode(a[\u0027raw\u0027]))\n```",
  "id": "GHSA-389r-rccm-h3h5",
  "modified": "2026-03-09T15:49:19Z",
  "published": "2026-03-05T00:16:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29780"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GOVCERT-LU/eml_parser/issues/88"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GOVCERT-LU/eml_parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "eml_parser: Path Traversal in Official Example Script Leads to Arbitrary File Write"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.