eml_parser Recursion-Related Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the eml_parser Python module, specifically in versions through 3.0.0. The issue arises in the EmlParser.get_raw_body_text() function, which recursively processes nested message/rfc822 attachments without a depth limit. An attacker can exploit this by sending a crafted EML file with approximately 120 nested parts, causing an unhandled RecursionError that crashes the parser. While this vulnerability disrupts parsing, it is unlikely to occur in practice, as the malformed EML would not pass basic RFC compliance checks.

Impact

Exploitation of this vulnerability leads to a RecursionError, causing any processing pipeline that handles EML files with eml_parser to crash. This interruption can disrupt the triage of multiple emails, as the unhandled exception halts the entire batch process, unless the call is wrapped in a try/except block. However, an attacker could still create a volume of emails that keeps workers in a constant restart cycle.

Reproduction

The vulnerability can be reproduced by using eml_parser version 3.0.0. After installing this version, the EmlParser.get_raw_body_text() function can be called with a crafted EML file that contains around 120 nested message/rfc822 parts. This nesting can be achieved by creating a multipart message that recursively includes itself, effectively building up the depth until the recursion limit is reached. Once the RecursionError is triggered, the parser will crash, demonstrating the denial-of-service condition.

Remediation

Users can upgrade to eml_parser version 3.0.1, where this vulnerability has been fixed.