A critical vulnerability has been discovered in the unstructured library, tracked as CVE-2025-64712, with a CVSS score of 9.8 that enables remote code execution. The flaw affects the partition_msg function used to break down Outlook .msg files, a common data processing step for ingesting emails and documents, and can be exploited by uploading a malicious .msg file.
The library, which has over 4 million monthly downloads, remains vulnerable in all versions up to and including 0.18.17, with a patch released in 0.18.18 that sanitises attachment filenames to prevent traversal attacks. According to advisory, an attacker can craft a malicious .msg file with attachment filenames containing path traversal sequences and, when processed with process_attachments=True, write files anywhere on the host system, potentially enabling RCE.
Workarounds include setting process_attachments=False when processing untrusted MSG files until a patch is applied. The advisory also outlines attack vectors such as overwriting configuration files, hijacking cron jobs and Python package poisoning, underscoring the broad impact of the flaw.