CVE-2025-64712
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write
Description
A Path Traversal vulnerability in the `partition_msg` function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. ## Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal sequences (e.g., `../../../etc/cron.d/malicious`). When processed with `process_attachments=True`, the library writes the attachment to an attacker-controlled path, potentially leading to: - Arbitrary file overwrite - Remote code execution (via overwriting configuration files, cron jobs, or Python packages) - Data corruption - Denial of service ## Affected Functionality The vulnerability affects the MSG file partitioning functionality when `process_attachments=True` is enabled. ## Vulnerability Details The library does not sanitize attachment filenames in MSG files before using them in file write operations, allowing directory traversal sequences to escape the intended output directory. ## Workarounds Until patched, users can: - Set `process_attachments=False` when processing untrusted MSG files - Avoid processing MSG files from untrusted sources - Implement additional filename validation before processing
How to fix CVE-2025-64712
To remediate CVE-2025-64712, upgrade the affected package to a fixed version below.
- —upgrade to 0.18.18 or later
Is CVE-2025-64712 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.18.18