Skip to content

fix: update docling to 2.97.0 to address multiple security vulnerabil…#35

Open
rnapoles-rh wants to merge 1 commit into
mainfrom
fix/docling-security-update
Open

fix: update docling to 2.97.0 to address multiple security vulnerabil…#35
rnapoles-rh wants to merge 1 commit into
mainfrom
fix/docling-security-update

Conversation

@rnapoles-rh

Copy link
Copy Markdown
Contributor

Address Docling vulnerabilities.

Docling versions prior to 2.61.1 are vulnerable to XML Entity Expansion (XXE) attacks in the METS GBS backend, allowing attackers to craft malicious XML files with nested entity definitions (XML Bomb) that can cause DoS through excessive resource consumption.

Docling versions prior to 2.91.0 are vulnerable to unsafe URI and path handling in the HTML backend (CVE-2026-47214), including:

  • Path traversal via ../ sequences and absolute paths
  • SSRF via unvalidated file:// URIs and internal network access
  • Unvalidated HTTP redirects
  • Unlimited resource consumption from remote images and data: URIs

Updated to version 2.97.0 which includes all security fixes from 2.61.1, 2.91.0, and 2.94.0 releases.

Fixes: https://github.com/developerproductivity/logilica-cli/security/dependabot/3

…ities

Docling versions prior to 2.61.1 are vulnerable to XML Entity Expansion
(XXE) attacks in the METS GBS backend, allowing attackers to craft
malicious XML files with nested entity definitions (XML Bomb) that can
cause DoS through excessive resource consumption.

Docling versions prior to 2.91.0 are vulnerable to unsafe URI and path
handling in the HTML backend (CVE-2026-47214), including:
- Path traversal via ../ sequences and absolute paths
- SSRF via unvalidated file:// URIs and internal network access
- Unvalidated HTTP redirects
- Unlimited resource consumption from remote images and data: URIs

Updated to version 2.97.0 which includes all security fixes from 2.61.1,
2.91.0, and 2.94.0 releases.

Fixes: https://github.com/developerproductivity/logilica-cli/security/dependabot/3

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant