CRITICAL🇵🇱 Wersja polska

CVE-2025-64712

CVSS 9.8v3.1pub. 2026-02-04upd. 2026-02-27

The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.

🤖 AI Analysis
How it works

The partition_msg function processes files in MSG format (email messages) along with attachments. An attacker can craft a malicious MSG file containing an attachment with a properly constructed path (path traversal), which after processing by the library is written or overwritten in any location on the file system outside the intended target directory. The vulnerability is classified as CWE-22 (path traversal) and CWE-73 (external control of file name or path).

Impact

An attacker can write or overwrite arbitrary files on the file system of a server processing a malicious MSG file, which may lead to code execution, privilege escalation, or violation of system integrity and availability.

Mitigation & patch

The Unstructured library should be updated to version 0.18.18 or later, where the issue has been fixed. Patch details are available in vendor references: https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d

Who is affected

Unstructured library (Unstructured-IO/unstructured) in versions prior to 0.18.18

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Unstructured

    APP
    Unstructured
    < 0.18.18
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References