VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Dec 9, 2024· Updated Apr 15, 2026

CVE-2024-46455

CVE-2024-46455

Description

unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
unstructuredPyPI
< 0.14.30.14.3

Patches

1
171b5df09fc3

fix: set `resolve_entities=False` in `partition_xml` (#3088)

https://github.com/Unstructured-IO/unstructuredMatt RobinsonMay 23, 2024via ghsa
commit
3 files changed · +5 3
  • CHANGELOG.md+3 1 modified
    @@ -1,4 +1,4 @@
-## 0.14.3-dev1
+## 0.14.3-dev2
 
 ### Enhancements
 
@@ -8,6 +8,8 @@
 
 ### Fixes
 
+**Turn off XML resolve entities** Sets `resolve_entities=False` for XML parsing with `lxml`
+  to avoid text being dynamically injected into the XML document.
 * Add the missing `form_extraction_skip_tables` argument to the `partition_pdf_or_image` call.
 
 ## 0.14.2
  • unstructured/partition/xml.py+1 1 modified
    @@ -51,7 +51,7 @@ def _get_leaf_elements(
     """Parse the XML tree in a memory efficient manner if possible."""
     element_stack = []
 
-    element_iterator = etree.iterparse(file, events=("start", "end"))
+    element_iterator = etree.iterparse(file, events=("start", "end"), resolve_entities=False)
     # NOTE(alan) If xml_path is used for filtering, I've yet to find a good way to stream
     # elements through in a memory efficient way, so we bite the bullet and load it all into
     # memory.
  • unstructured/__version__.py+1 1 modified
    @@ -1 +1 @@
-__version__ = "0.14.3-dev1"  # pragma: no cover
+__version__ = "0.14.3-dev2"  # pragma: no cover

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.