CVE-2025-64712 – A path traversal vulnerability in the unstructu... (How to Fix)

📋 TL;DR

A path traversal vulnerability in the unstructured library's partition_msg function allows attackers to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This affects any system using unstructured library versions before 0.18.18 to process MSG files. The high CVSS score of 9.8 indicates critical severity with low attack complexity.

💻 Affected Systems

Products:

unstructured library

Versions: All versions before 0.18.18

Operating Systems: All operating systems where unstructured library runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems processing MSG files with attachments using the partition_msg function.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation.

🟠

Likely Case

Data corruption, denial of service, or sensitive information exposure through file overwrites in web applications processing user-uploaded MSG files.

🟢

If Mitigated

Limited impact with proper file system permissions, sandboxing, and input validation preventing traversal outside designated directories.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a malicious MSG file to be processed by the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.18.18

Vendor Advisory: https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m

Restart Required: No

Instructions:

1. Update unstructured library to version 0.18.18 or later using pip: pip install --upgrade unstructured>=0.18.18
2. Verify the update completed successfully
3. Test MSG file processing functionality

🔧 Temporary Workarounds

Disable MSG file processing

all

Temporarily disable processing of MSG files until patching is complete

Modify application code to skip or reject MSG files before calling partition_msg

Implement input validation

all

Add validation to reject MSG files with suspicious attachment paths

Implement file path validation before processing attachments

🧯 If You Can't Patch

Implement strict file system permissions limiting write access to minimal necessary directories
Run the application in a sandboxed/containerized environment with restricted filesystem access

🔍 How to Verify

Check if Vulnerable:

Check if unstructured library version is below 0.18.18 and if the application processes MSG files

Check Version:

python -c "import unstructured; print(unstructured.__version__)"

Verify Fix Applied:

Confirm unstructured library version is 0.18.18 or higher and test MSG file processing

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations during MSG processing
Errors from partition_msg function
Failed path traversal attempts in application logs

Network Indicators:

Uploads of MSG files to web applications using unstructured library

SIEM Query:

source="application.log" AND "partition_msg" AND (".." OR "/" OR "\")

📊 Metadata

CVE ID: CVE-2025-64712

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 4, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64712, you might also want to check these: