A critical vulnerability in the Unstructured.io library could lead to arbitrary file writes due to a path traversal flaw, Cyera revealed Thursday.Unstructured.io is an extract, transform, load (ETL) product, which enables unstructured data such as PDFs, emails, Word documents, slideshows and more to be converted into a structured format that is easily searchable by AI systems.The main Unstructured library is open-source, with Unstructured.io also offering managed services and an enterprise platform for managing ETL workflows in a no-code interface. According to Unstructured’s website, 87% of Fortune 1000 companies use Unstructured.The vulnerability, tracked as CVE-2025-64712, stems from the method Unstructured uses to process Microsoft Outlook email messages, or .msg files. The function used to extract text from email attachments stores the attachment in a temp directory at a path containing the attachment’s file name (ex. /tmp/attachment_file_name).The Cyera researchers found that by sending an email with an attachment whose file name contains a directory traversal sequence, like “../,” an attacker could escape the temporary directory and write files elsewhere on the host system.
Related reading:
An attacker could then potentially achieve remote code execution (RCE) by writing malicious code to startup scripts like init.d, create cron jobs, or overwrite the SSH “authorized_keys” file to gain backdoor access (by sending an attachment with the file name “../../root/.ssh/authorized_keys”), Cyera explained.CVE-2025-64712 was fixed in Unstructured.io version 0.18.18, and users of the library are urged to update to this version to prevent exploitation.Cyera noted a significant supply chain risk posed by the vulnerability due to widespread use of the Unstructured library in the open-source ecosystem. Unstructured has more than 4 million monthly downloads and is used in other major open-source tools such as OpenWebUI, LlamaIndex and LangChain.In total, Cyera found the Unstructured library was used as a dependency in about 10,000 files on GitHub, while langchain_community.document_loaders, which leverages Unstructured, is used in about 100,000 files. The potential “blast radius” of the flaw, along with potential consequences ranging from data exfiltration, secrets theft and lateral movement, further emphasize the importance of timely patching and supply chain visibility.
Vulnerability Management, Email security, Patch/Configuration Management, Supply chain
Unstructured.io flaw enables path traversal by email attachment

(Credit: Rafael Henrique – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



