CVE-2026-44844
Stack Overflow in eml_parser Prior to 3.0.1
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eml_parser | eml_parser | 3.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the eml_parser Python module, specifically in versions prior to 3.0.1. The method EmlParser.get_raw_body_text() recursively processes every nested message or rfc822 attachment without any limit on the recursion depth.
An attacker can craft a malicious EML file containing about 120 nested message/rfc822 parts, which triggers an unhandled RecursionError. This error causes the parser to crash and abort parsing the message.
Although this can crash the parser, the crafted EML file that causes this issue is unlikely to pass basic RFC compliance tests. The vulnerability was fixed in version 3.0.1 of eml_parser.
How can this vulnerability impact me? :
This vulnerability can cause the eml_parser to crash when processing a specially crafted EML file with deeply nested message parts.
If you rely on eml_parser to process emails, an attacker could exploit this to cause a denial of service by crashing the parser, potentially interrupting email processing workflows or worker processes.
However, the attack scenario is considered unlikely because the malicious EML file would not conform to basic RFC standards.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the eml_parser python module to version 3.0.1 or later, where the issue with unbounded recursion in get_raw_body_text() has been fixed.