CVE-2026-29780
📋 TL;DR
CVE-2026-29780 is a path traversal vulnerability in eml_parser's example script that allows arbitrary file writes outside intended directories. Attackers can craft malicious email attachment filenames to write files anywhere the application has write permissions. This affects users running the vulnerable example script from eml_parser versions before 2.0.1.
💻 Affected Systems
- eml_parser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file overwrite of critical system files, potentially leading to remote code execution or data destruction.
Likely Case
Unauthorized file writes to sensitive directories, potentially overwriting configuration files or creating backdoors.
If Mitigated
Limited to writing files within intended output directory with proper input validation and path sanitization.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious email file with crafted attachment filenames containing path traversal sequences (e.g., '../../etc/passwd').
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1
Vendor Advisory: https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-389r-rccm-h3h5
Restart Required: No
Instructions:
1. Update eml_parser to version 2.0.1 or later using pip: pip install --upgrade eml_parser==2.0.1
2. Replace any usage of the vulnerable example script with updated version from the repository.
🔧 Temporary Workarounds
Input Validation for Attachment Filenames
allManually sanitize attachment filenames before using them in file paths
import os
import re
def sanitize_filename(filename):
# Remove path traversal sequences
filename = re.sub(r'[\\/]|\.\.', '', filename)
# Get basename only
return os.path.basename(filename)
Restrict Output Directory
allUse absolute paths and ensure output directory is properly restricted
import os
output_dir = '/safe/output/directory'
os.makedirs(output_dir, exist_ok=True)
# Ensure we stay within output directory
full_path = os.path.join(output_dir, os.path.basename(filename))
# Additional check
if not full_path.startswith(output_dir):
raise ValueError('Path traversal attempt detected')
🧯 If You Can't Patch
- Stop using the vulnerable example script examples/recursively_extract_attachments.py
- Implement strict input validation for all attachment filenames before file operations
🔍 How to Verify
Check if Vulnerable:
Check if you're using eml_parser version <2.0.1 AND using the examples/recursively_extract_attachments.py scriptCheck Version:
python -c "import eml_parser; print(eml_parser.__version__)"Verify Fix Applied:
Verify eml_parser version is 2.0.1 or higher and test with malicious filenames containing path traversal sequences📡 Detection & Monitoring
Log Indicators:
- File write attempts outside expected output directories
- Path traversal sequences in filenames (../, ..\)
- Permission denied errors for unexpected file paths
Network Indicators:
- Incoming email attachments with suspicious filenames
- Unusual file write patterns from email processing systems
SIEM Query:
source="email_processing" AND (filename="*../*" OR filename="*..\\*" OR filepath!="*/expected/output/dir/*")