CVE-2026-44844: eml_parser has recursion DoS via nested message/rfc822 attachments

May 8, 2026 (updated June 8, 2026)

EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests.

References

github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8
github.com/advisories/GHSA-g47v-rwmh-r9f8
nvd.nist.gov/vuln/detail/CVE-2026-44844

Code Behaviors & Features

Detect and mitigate CVE-2026-44844 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →