The Unstructured library is vulnerable to a critical path traversal flaw that allows unauthenticated attackers to overwrite system files by providing a malicious MSG file for processing.

A path traversal flaw exists in the partition_msg function. When the library processes a specially crafted MSG file with malicious attachments, it fails to sanitize the file paths, allowing an unauthenticated attacker to write or overwrite arbitrary files on the local filesystem.

This vulnerability carries a CVSS score of 9.8. Successful exploitation can lead to Remote Code Execution (RCE) if the attacker overwrites critical application code or configuration files. This poses a significant risk to automated data pipelines and document processing systems that handle external user input.

Immediate Action: Upgrade the unstructured Python library to version 0.18.18 or later using your package manager (e.g., pip install --upgrade unstructured).

Proactive Monitoring: Monitor for unexpected file creation or modification events in the directories where the application processes documents.

Compensating Controls: Run document processing tasks in a restricted, sandboxed environment (like a container with a read-only root filesystem) to limit the impact of a path traversal attack.

Public Exploit Available: false

Path traversal in a document ingestion library is a high-priority issue. Developers and system administrators must update the library immediately to version 0.18.18 to protect their data processing infrastructure.