Commit 2f2a257
fix: update docling to 2.97.0 to address multiple security vulnerabilities
Docling versions prior to 2.61.1 are vulnerable to XML Entity Expansion
(XXE) attacks in the METS GBS backend, allowing attackers to craft
malicious XML files with nested entity definitions (XML Bomb) that can
cause DoS through excessive resource consumption.
Docling versions prior to 2.91.0 are vulnerable to unsafe URI and path
handling in the HTML backend (CVE-2026-47214), including:
- Path traversal via ../ sequences and absolute paths
- SSRF via unvalidated file:// URIs and internal network access
- Unvalidated HTTP redirects
- Unlimited resource consumption from remote images and data: URIs
Updated to version 2.97.0 which includes all security fixes from 2.61.1,
2.91.0, and 2.94.0 releases.
Fixes: https://github.com/developerproductivity/logilica-cli/security/dependabot/3
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>1 parent 60a7ed4 commit 2f2a257
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
| 2 | + | |
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
| |||
0 commit comments