fix: update docling to 2.97.0 to address multiple security vulnerabil…#35
Open
rnapoles-rh wants to merge 1 commit into
Open
fix: update docling to 2.97.0 to address multiple security vulnerabil…#35rnapoles-rh wants to merge 1 commit into
rnapoles-rh wants to merge 1 commit into
Conversation
…ities Docling versions prior to 2.61.1 are vulnerable to XML Entity Expansion (XXE) attacks in the METS GBS backend, allowing attackers to craft malicious XML files with nested entity definitions (XML Bomb) that can cause DoS through excessive resource consumption. Docling versions prior to 2.91.0 are vulnerable to unsafe URI and path handling in the HTML backend (CVE-2026-47214), including: - Path traversal via ../ sequences and absolute paths - SSRF via unvalidated file:// URIs and internal network access - Unvalidated HTTP redirects - Unlimited resource consumption from remote images and data: URIs Updated to version 2.97.0 which includes all security fixes from 2.61.1, 2.91.0, and 2.94.0 releases. Fixes: https://github.com/developerproductivity/logilica-cli/security/dependabot/3 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Address Docling vulnerabilities.
Docling versions prior to 2.61.1 are vulnerable to XML Entity Expansion (XXE) attacks in the METS GBS backend, allowing attackers to craft malicious XML files with nested entity definitions (XML Bomb) that can cause DoS through excessive resource consumption.
Docling versions prior to 2.91.0 are vulnerable to unsafe URI and path handling in the HTML backend (CVE-2026-47214), including:
Updated to version 2.97.0 which includes all security fixes from 2.61.1, 2.91.0, and 2.94.0 releases.
Fixes: https://github.com/developerproductivity/logilica-cli/security/dependabot/3