CVE-2025-64712

Name of the Vulnerable Software and Affected Versions Unstructured versions prior to 0.18.18

Description The Unstructured library, used for ingesting and pre-processing various document types like PDFs, HTML, Word documents, and images, contains a path traversal vulnerability in the partition msg function. This flaw allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. The vulnerability is triggered when process attachments is set to True and the library does not sanitize attachment filenames before writing them to the filesystem. This could lead to arbitrary file overwrite, remote code execution, data corruption, or denial of service. The issue affects the MSG file partitioning functionality. It is estimated that over 4 million downloads occur monthly, and 87% of Fortune 1000 companies utilize the library.

Recommendations Versions prior to 0.18.18 should be updated to version 0.18.18 or later. If updating is not immediately possible, set process attachments=False when processing untrusted MSG files. Avoid processing MSG files from untrusted sources. Implement additional filename validation before processing.