Unstructured
CVE-2025-64712
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 pypi packages depend on unstructured (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 0.18.18.
DescriptionGitHub Advisory
The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.
AnalysisAI
The unstructured Python library for document ingestion has a path traversal vulnerability allowing arbitrary file read/write during document processing.
Technical ContextAI
The unstructured library has a CWE-22 path traversal vulnerability that allows attackers to read or write arbitrary files on the server when processing crafted documents.
RemediationAI
Update the unstructured library. Validate file paths during document processing.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gm8q-m8mv-jj5m