Information Exposure Affecting unstructured package, versions [,0.16.20)

Q: How to fix?

Upgrade unstructured to version 0.16.20 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PYTHON-UNSTRUCTURED-9055244
published2 Mar 2025
disclosed1 Mar 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Mar 2025

CWE-200 (opens in a new tab)

How to fix?

Upgrade unstructured to version 0.16.20 or higher.

Overview

unstructured is an A library that prepares raw documents for downstream ML tasks.

Affected versions of this package are vulnerable to Information Exposure when the filetype supports an include functionality, it is possible to partition arbitrary local files.

This vulnerability specifically affects rst and org files. This is only exploitable if the include functionality is used to bring in content from files external to the partitioned file.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None