Platform
python
Component
unstructured
Fixed in
0.18.19
0.18.18
CVE-2025-64712 is a critical Path Traversal vulnerability discovered in the unstructured Python library. This flaw allows attackers to write or overwrite arbitrary files on the filesystem by crafting malicious .msg files with attachments. Versions of the library affected are those prior to 0.9.4, and a fix is available in version 0.18.18.
The vulnerability lies within the partitionmsg function when processattachments=True. An attacker can exploit this by creating a specially crafted .msg file containing attachment filenames that include path traversal sequences, such as ../../../etc/cron.d/malicious. When the unstructured library processes this file, it will attempt to write the attachment to the attacker-specified location. This can lead to arbitrary file overwrites, potentially allowing an attacker to modify critical system configuration files or inject malicious code into cron jobs. The potential for remote code execution is significant, as attackers could overwrite files responsible for executing commands on the system.
This vulnerability has not been publicly exploited as of the time of writing, but the potential for remote code execution makes it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not yet available, but the ease of crafting malicious .msg files suggests that exploitation is likely. The vulnerability was publicly disclosed on 2026-02-03.
Exploit Status
EPSS
0.12% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 0.18.18 or later of the unstructured library. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling attachment processing (process_attachments=False) within your application. Additionally, implement input validation to sanitize attachment filenames before processing, preventing path traversal sequences. Consider using a Web Application Firewall (WAF) to filter potentially malicious .msg files based on filename patterns. After upgrading, confirm the fix by attempting to process a test .msg file with a known malicious path traversal sequence and verifying that the file is not written to the attacker-controlled location.
Update the `unstructured` library to version 0.18.18 or higher. This corrects the path traversal vulnerability when processing malicious MSG files. Run `pip install --upgrade unstructured` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64712 is a critical Path Traversal vulnerability in the unstructured Python library that allows attackers to overwrite files by crafting malicious .msg attachments.
You are affected if you are using unstructured versions less than or equal to 0.9.3 and process email attachments.
Upgrade to version 0.18.18 or later. If upgrading is not possible, disable attachment processing or implement strict input validation.
There are no confirmed active exploits at this time, but the vulnerability's potential for remote code execution makes it a high-priority concern.
Refer to the unstructured project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.