Unstructured hat Path Traversal über eine bösartige MSG-Anhangdatei, die das Schreiben beliebiger Dateien ermöglicht

The vulnerability lies within the partitionmsg function when processattachments=True. An attacker can exploit this by creating a .msg file containing attachment filenames that include path traversal sequences, such as ../../../etc/cron.d/malicious. When the library processes this malicious file, it will attempt to write the attachment to the attacker-specified path. This can lead to arbitrary file overwrites, potentially allowing attackers to modify critical system configuration files or inject malicious code into cron jobs. The potential for remote code execution is significant, as attackers could overwrite binaries or scripts to gain control of the affected system. The blast radius extends to any system processing .msg files using the vulnerable library.

Organizations and developers using the unstructured Python library to process email attachments, particularly those handling untrusted email sources, are at significant risk. Systems with older versions of the library (≤0.9.3) and those lacking robust input validation are especially vulnerable. Shared hosting environments where multiple applications share the same filesystem are also at increased risk.

• python / server:

import os
import hashlib

def check_attachment_filename(filename):
    # Check for path traversal sequences
    if "../" in filename:
        print(f"Potential path traversal detected in filename: {filename}")
        return True
    return False

# Example usage
filename = "../../../etc/cron.d/malicious.txt"
if check_attachment_filename(filename):
    print("Malicious filename detected!")

1. 2026-02-03Disclosure

   disclosure

1. Reserviert2025-11-10
2. Veröffentlicht2026-02-03
3. Geändert2026-02-10
4. EPSS aktualisiert2026-03-23

The primary mitigation is to upgrade to version 0.18.18 or later of the unstructured library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the process_attachments=True option in the library's configuration. This will prevent the processing of attachments, effectively eliminating the path traversal risk. Additionally, implement strict input validation on any .msg files processed by the application, sanitizing filenames to prevent path traversal sequences. Monitor system logs for unusual file access patterns or unexpected file modifications. After upgrading, confirm the fix by attempting to process a test .msg file with a deliberately malicious filename containing path traversal sequences; the library should reject the operation.