CVE-2026-29780
Path Traversal in eml_parser Attachment Extraction Allows Arbitrary File Write
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| govcert.lu | eml_parser | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29780 is a path traversal vulnerability found in the official example script `examples/recursively_extract_attachments.py` of the eml-parser Python package versions prior to 2.0.1.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the script uses attachment filenames extracted from parsed emails directly to create output file paths without any sanitization or validation.'}, {'type': 'paragraph', 'content': 'An attacker can craft an email with a malicious attachment filename containing path traversal sequences (e.g., "../outside/pwned.txt") that allows writing files outside the intended output directory.'}, {'type': 'paragraph', 'content': 'This means the attacker-controlled filename can escape the target directory and write arbitrary files anywhere on the filesystem accessible by the script.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in version 2.0.1 by sanitizing filenames and verifying that output paths remain within the intended directory.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker to write arbitrary files outside the intended output directory when running the vulnerable example script.
Potential impacts include attackers placing malicious files such as cron jobs, web shells, or SSH authorized keys on the system.
- Injection of cron jobs (e.g., writing to /etc/cron.d/backdoor)
- Uploading web shells to web server directories (e.g., /var/www/html/shell.php)
- Adding SSH keys to authorized_keys files (e.g., /home/user/.ssh/authorized_keys)
Such actions could lead to unauthorized code execution or persistent access on the affected system.
However, the vulnerability is limited to the example script and does not affect the core eml-parser library.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by examining if the example script `examples/recursively_extract_attachments.py` from the eml_parser package is used and whether it processes email attachments without sanitizing filenames. Specifically, look for usage of the script that writes attachments using filenames directly from the email without path normalization or validation.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts or presence of the vulnerability, you can search your filesystem or logs for files written outside the intended output directory, especially files with suspicious path traversal patterns like '../' in filenames."}, {'type': 'list_item', 'content': 'Check if the vulnerable script is present and used: `ls examples/recursively_extract_attachments.py`'}, {'type': 'list_item', 'content': "Search for files created outside the expected output directory, for example: `find /path/to/output/parent -type f -name '*pwned.txt'` or `find / -path '*outside/pwned.txt'`"}, {'type': 'list_item', 'content': "Inspect recent files created with suspicious names: `find / -type f -name '*../*'` (though this may not match due to shell expansion, so check logs or script usage)"}, {'type': 'list_item', 'content': 'Review usage of the script and check if filenames are sanitized in the code (look for absence of `os.path.basename()` or path resolution checks).'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the eml_parser package to version 2.0.1 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, modify the example script `examples/recursively_extract_attachments.py` to sanitize attachment filenames before writing them to disk. This includes using `os.path.basename()` to strip directory components from filenames and verifying that the resolved output path is within the intended directory.'}, {'type': 'paragraph', 'content': 'Specifically, implement code similar to the following to prevent path traversal:'}, {'type': 'list_item', 'content': "Use `filename = os.path.basename(a['filename'])` to sanitize filenames."}, {'type': 'list_item', 'content': 'Check that the resolved output path is inside the intended directory before writing files.'}, {'type': 'paragraph', 'content': 'Additionally, review any adaptations of the example script in your environment to ensure they incorporate these fixes.'}] [1, 2]