VDB
EN
CRITICAL 9.8

PYSEC-2026-558

Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write

상세

A Path Traversal vulnerability in the `partition_msg` function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments.

## Impact An attacker can craft a malicious .msg file with attachment filenames containing path traversal sequences (e.g., `../../../etc/cron.d/malicious`). When processed with `process_attachments=True`, the library writes the attachment to an attacker-controlled path, potentially leading to:

- Arbitrary file overwrite - Remote code execution (via overwriting configuration files, cron jobs, or Python packages) - Data corruption - Denial of service

## Affected Functionality The vulnerability affects the MSG file partitioning functionality when `process_attachments=True` is enabled.

## Vulnerability Details The library does not sanitize attachment filenames in MSG files before using them in file write operations, allowing directory traversal sequences to escape the intended output directory.

## Workarounds Until patched, users can: - Set `process_attachments=False` when processing untrusted MSG files - Avoid processing MSG files from untrusted sources - Implement additional filename validation before processing

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / unstructured
최초 영향 버전: 0 수정 버전: 0.18.18
수정 pip install --upgrade 'unstructured>=0.18.18'

참고