The eml_parser Python module, developed by GOVCERT-LU, is designed to parse .eml email files and extract various information, including attachments. Prior to version 2.0.1, the example script recursively_extract_attachments.py demonstrates a path traversal vulnerability (CWE-22) due to improper sanitization of attachment filenames. When parsing emails, the script directly uses the attachment filenames to construct output paths without validating or normalizing them. An attacker can craft an email with malicious attachment filenames containing directory traversal sequences (e.g., '../') to escape the intended output directory and write files arbitrarily anywhere the executing user has write permissions. This can lead to overwriting critical files or planting malicious files on the system. The vulnerability requires the victim to run the vulnerable script on a crafted email file, thus involving user interaction. The CVSS v3.1 base score is 5.5 (medium severity), reflecting the local attack vector, low complexity, no privileges required, but requiring user interaction. The impact is primarily on integrity, as arbitrary files can be overwritten, potentially leading to code execution or data corruption. The vulnerability was responsibly disclosed and patched in version 2.0.1 by adding proper filename sanitization and path normalization to prevent directory traversal. No public exploits or widespread attacks have been reported to date.

This vulnerability allows an attacker to write arbitrary files outside the intended output directory when processing maliciously crafted email files. For organizations using the vulnerable eml_parser versions, this can lead to unauthorized modification or replacement of critical files, potentially enabling further exploitation such as privilege escalation, persistence, or disruption of normal operations. Although the attack requires user interaction (running the vulnerable script on a malicious email), the risk is significant in environments where automated or semi-automated email processing occurs, such as email security gateways, forensic tools, or malware analysis platforms. The integrity of systems can be compromised, and in some cases, confidentiality could be indirectly affected if sensitive files are overwritten or replaced. The vulnerability does not directly impact availability but could lead to denial of service if critical files are corrupted. Since the vulnerability is local and requires user action, the scope is limited but still relevant for organizations relying on eml_parser for email processing.

1. Upgrade to eml_parser version 2.0.1 or later, where the path traversal vulnerability is patched with proper filename sanitization and path normalization. 2. If upgrading is not immediately possible, avoid using the vulnerable example script recursively_extract_attachments.py or any custom scripts that write attachment files without sanitizing filenames. 3. Implement strict input validation and sanitization on all filenames extracted from untrusted email sources, removing or neutralizing directory traversal sequences and invalid characters. 4. Run email parsing and attachment extraction processes with the least privileges necessary, restricting write permissions to dedicated directories to limit the impact of arbitrary file writes. 5. Employ monitoring and alerting for unexpected file modifications in critical directories. 6. Educate users and administrators about the risks of processing untrusted email files and encourage cautious handling of email attachments. 7. Consider sandboxing or containerizing email parsing tools to isolate potential damage from exploitation.