VDB
CVE-2025-64712
CVE-2025-64712
PUBLISHED
CVSS 9.800000190734863 CRITICAL
The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.
EPSS 0.13% · 32.0th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.13%
32.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Unstructured-IO | unstructured | < 0.18.18, < 0.18.18 |
| unstructured | unstructured | 0, 0 |
| PyPI | unstructured | 0, 0 |
Timeline
- Feb 3, 2026 CVE Published
- Feb 4, 2026 CVE Updated
- Feb 4, 2026 PoC Published
- Feb 5, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
- Feb 9, 2026 PoC Published
- Feb 12, 2026 EPSS Score
- Feb 13, 2026 PoC Published
- Feb 13, 2026 PoC Published
- Feb 13, 2026 PoC Published
- Feb 13, 2026 PoC Published
References
- https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m url
- https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d url
- https://nvd.nist.gov/vuln/detail/CVE-2025-64712 advisory
- https://github.com/Unstructured-IO/unstructured package