—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution vulnerability in Unstructured.io

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Unstructured-IO versions prior to 0.18.18

Overview

A critical path traversal vulnerability has been reported in Unstructured-IO library which could allow an unauthenticated remote attacker to execute arbitrary code on the target system.

Target Audience:

Individuals and end-user organisations using affected Unstructured-IO.

Risk Assessment:

Risk of unauthorized access, data tampering, or full system compromise.

Impact Assessment:

High potential of arbitrary code execution.

Description

The Unstructured.io library is an open-source toolkit for ingesting and pre-processing unstructured data such as PDFs, HTML, Word documents, images, and email files. It is widely used in AI pipelines and document processing workflows to convert raw files into machine-readable text.

This vulnerability exists due to improper sanitization of attachment filenames during the extraction and temporary storage of specially crafted Microsoft Outlook (.msg) files, enabling directory traversal and arbitrary file write.

Successful exploitation of this vulnerability could allow an unauthorized remote attacker to execute arbitrary code on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://gbhackers.com/cve-2025-64712-in-unstructured-io/

Vendor Information

Unstructured.io

https://gbhackers.com/cve-2025-64712-in-unstructured-io/

References

Unstructured.io

https://gbhackers.com/cve-2025-64712-in-unstructured-io/

CVE Name

CVE-2025-64712

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmUgdYACgkQ3jCgcSdc

ys/mqg//RL64ovfqM/oEMxS1lmdO0118IE6iRoPqOmb/b/bPK5kURtgvwOFgJzkl

ZJgnnr8rFx59htvaIGVyEEha6T7yJB6NCTD7vze0laIEsgwty/xo5/oPpD/RKoIQ

GWqcLUyqEYdqaCz6I/35KPFTEKGYmNueKp3CB23/8C3gSFyqpazOIDJz/qtgypCg

AaZp7ArDayAC11hw7nF2ADjjFiUwFQC18VcTeJeNlTmmTNcViPdrpjspjiMj+Iww

nLmbkddb7pnpB6doq1m+1rgB+gKC/WNtti3Ga5tgOym0o/ERUrP3glFCCIfiqIyF

rQoU/K3INmEKWuBrPApRWURzL657RBs31IQAmA6Gj44ONqRFKXJMmoGXTkbeUrRS

0POfdYcuzqk37ByoL3j8DQgyfEU3skysqUwMvSWDWEbPDvti7eKt/iYCSOgf8E5B

g4X9XKPtuNqBe2Z0DIVoSV1BJEbvphyP0eQiYB+vZ67AQjnlwuREjDiDMPAPNEfC

bhInKLisZGdTmWinMLLkPr1v65z0azAfWw96jAtUQdAEx5KdAPCzvabBNI+iM33u

+C4yLaAwD0PttN5Q1aASbJCg9Mq1PZDcW5QmJE/6E5oeSNfODwnHUNBPMKZc6I5Q

t59x0tXFnCwbHtjKLhsEbnTeW8OtIhPSDMQ/mSnlngMblIxsaQ0=

=ZRLd

—–END PGP SIGNATURE—–