Skip to main content

Unstructured CVE-2025-64712

CRITICAL
Path Traversal (CWE-22)
2026-02-04 security-advisories@github.com GHSA-gm8q-m8mv-jj5m
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 27, 2026 - 20:30 nvd
Patch available
CVE Published
Feb 04, 2026 - 18:16 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on unstructured (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.18.18.

DescriptionGitHub Advisory

The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.

AnalysisAI

The unstructured Python library for document ingestion has a path traversal vulnerability allowing arbitrary file read/write during document processing.

Technical ContextAI

The unstructured library has a CWE-22 path traversal vulnerability that allows attackers to read or write arbitrary files on the server when processing crafted documents.

RemediationAI

Update the unstructured library. Validate file paths during document processing.

Share

CVE-2025-64712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy