Skip to content

fix(deps): update dependency unstructured to v0.18.18 [security] #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
a-klos wants to merge 1 commit into from
Closed

fix(deps): update dependency unstructured to v0.18.18 [security] #243

a-klos wants to merge 1 commit into from

Conversation

@a-klos
Copy link
Member

@a-klos a-klos commented Feb 9, 2026

This PR contains the following updates:

Package Change Age Confidence
unstructured 0.18.15 -> 0.18.18 age confidence

GitHub Vulnerability Alerts

CVE-2025-64712

A Path Traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments.

Impact

An attacker can craft a malicious .msg file with attachment filenames containing path traversal sequences (e.g.,
../../../etc/cron.d/malicious). When processed with process_attachments=True, the library writes the attachment to an
attacker-controlled path, potentially leading to:

  • Arbitrary file overwrite
  • Remote code execution (via overwriting configuration files, cron jobs, or Python packages)
  • Data corruption
  • Denial of service

Affected Functionality

The vulnerability affects the MSG file partitioning functionality when process_attachments=True is enabled.

Vulnerability Details

The library does not sanitize attachment filenames in MSG files before using them in file write operations, allowing directory
traversal sequences to escape the intended output directory.

Workarounds

Until patched, users can:

  • Set process_attachments=False when processing untrusted MSG files
  • Avoid processing MSG files from untrusted sources
  • Implement additional filename validation before processing

Release Notes

Unstructured-IO/unstructured (unstructured)

v0.18.18

Compare Source

Fixes
  • Prevent path traversal in email MSG attachment filenames Fixed a security vulnerability (GHSA-gm8q-m8mv-jj5m) where malicious attachment filenames containing path traversal sequences could write files outside the intended directory. The fix normalizes both Unix and Windows path separators before sanitizing filenames, preventing cross-platform path traversal attacks in partition_msg functions

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@a-klos a-klos added python Pull requests that update python code renovate labels Feb 9, 2026
a-klos added a commit that referenced this pull request Feb 10, 2026
@a-klos
Merge PR #243 (unstructured already at 0.18.18)
ffdac8c
@a-klos a-klos closed this Feb 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

python Pull requests that update python code renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a-klos @renovate-bot