CVE-2026-29780 Overview
CVE-2026-29780 is a path traversal vulnerability affecting the eml_parser Python module, a popular library developed by GOVCERT-LU for parsing EML (email) files and extracting various information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal flaw that allows arbitrary file write operations outside the intended output directory.
The vulnerability exists because attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization. This allows an attacker who controls the email attachment filename to escape the target directory and write files to arbitrary locations on the filesystem.
Critical Impact
Attackers can craft malicious email files with specially crafted attachment filenames containing directory traversal sequences (e.g., ../) to write arbitrary files anywhere on the system where the user running the script has write permissions, potentially leading to code execution or system compromise.
Affected Products
- govcert.lu eml_parser versions prior to 2.0.1
- Python applications using the vulnerable recursively_extract_attachments.py example script
- Systems processing untrusted EML files with the affected script
Discovery Timeline
- 2026-03-07 - CVE CVE-2026-29780 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29780
Vulnerability Analysis
This path traversal vulnerability (CWE-22) allows attackers to write files outside the intended output directory when processing malicious email files. The vulnerability resides specifically in the examples/recursively_extract_attachments.py script included with the eml_parser package.
When the script extracts attachments from parsed emails, it uses the attachment filename directly from the email metadata to construct the output path. Since email attachment filenames are attacker-controlled, a malicious actor can embed directory traversal sequences such as ../ within the filename. These sequences allow the final write path to escape the designated output directory and target arbitrary filesystem locations.
The attack requires local access and user interaction (the victim must process a malicious EML file), but once triggered, the attacker gains high-integrity impact through arbitrary file write capabilities.
Root Cause
The root cause is improper input validation and path handling in the example script. The vulnerable code constructs file paths using user-controlled input (email attachment filenames) without resolving or validating that the resulting path remains within the intended output directory boundary.
The pathlib.Path objects for both scan_path and out_path were not resolved to their absolute canonical forms, allowing relative path components like .. to traverse outside the intended directory structure.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious EML file containing an attachment with a filename that includes path traversal sequences. When a victim processes this email using the vulnerable script, the attachment is written to an attacker-controlled location.
For example, an attachment named ../../../etc/cron.d/malicious_job would escape the output directory and write to the system cron directory (if permissions allow), potentially achieving code execution.
The attack vector is local (requires the victim to process the malicious file) with no special privileges required, though user interaction is necessary.
# Security patch for path traversal vulnerability
# Source: https://github.com/GOVCERT-LU/eml_parser/commit/99af03a09a90aaaaadd0ed2ffb5eea46d1ea2cc9
# Before (vulnerable):
- scan_path = pathlib.Path(options.path)
- out_path = pathlib.Path(options.outpath)
# After (fixed):
+ scan_path = pathlib.Path(options.path).resolve()
+ out_path = pathlib.Path(options.outpath).resolve()
if not scan_path.is_dir():
raise SystemExit('Specified path is not accessible')
Source: GitHub Commit Update
Detection Methods for CVE-2026-29780
Indicators of Compromise
- Email attachments with filenames containing ../ or ..\\ path traversal sequences
- Unexpected file creation or modification in directories outside the designated output path
- Log entries showing file write operations to sensitive system directories during EML processing
- Presence of files in unexpected locations matching attachment processing timestamps
Detection Strategies
- Implement file integrity monitoring (FIM) on sensitive directories to detect unauthorized file writes
- Monitor for email files containing suspicious attachment filenames with path traversal patterns
- Deploy application-level logging to track file write operations during EML parsing activities
- Use YARA rules to scan incoming EML files for attachments with malicious filename patterns
Monitoring Recommendations
- Enable detailed logging for any applications using eml_parser to process external email files
- Configure alerts for file write operations that target directories outside expected output paths
- Monitor Python process activity for suspicious file system access patterns
- Review processed email logs for attachment filenames containing directory traversal sequences
How to Mitigate CVE-2026-29780
Immediate Actions Required
- Upgrade eml_parser to version 2.0.1 or later immediately
- Audit any custom scripts based on the vulnerable example for similar path traversal issues
- Review file systems for evidence of exploitation if the vulnerable script was used in production
- Restrict permissions on sensitive directories to limit potential impact
Patch Information
The vulnerability has been patched in eml_parser version 2.0.1. The fix applies the .resolve() method to both scan_path and out_path variables, converting relative paths to their absolute canonical forms. This prevents path traversal sequences from escaping the intended directory.
For detailed patch information, refer to the GitHub Security Advisory GHSA-389r-rccm-h3h5 and the GitHub Commit Update.
Workarounds
- If immediate upgrade is not possible, manually apply the .resolve() fix to the example script
- Process EML files in an isolated environment or container with restricted filesystem access
- Implement additional filename sanitization that strips or rejects path traversal characters before file creation
- Run the parsing script under a restricted user account with minimal write permissions
# Upgrade eml_parser to patched version
pip install --upgrade eml_parser>=2.0.1
# Verify installed version
pip show eml_parser | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
