Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Malicious input must be processed locally (AV:L, UI:R) with no privileges (PR:N); XXE yields high file-read confidentiality (C:H) and bombs cause DoS (A:H), with no integrity impact (I:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
Impact
The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling:
- XML External Entity (XXE) attacks to read local files or cause denial of service
- Decompression bombs (zip bombs) to exhaust memory and disk space
- Unbounded archive extraction consuming system resources
An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.
Patches
Fixed in version 2.91.0. The fix implements:
- Secure XML parsing with
resolve_entities=False,load_dtd=False, andno_network=True - Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count
- Cumulative size tracking across all extractions
- Early termination when limits are exceeded
- Secure format detection of METS-GBS tar archives with
_detect_mets_gbs()method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded
Workarounds
Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.
References
- Fix release: v2.91.0
AnalysisAI
Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.
Technical ContextAI
Docling is a popular open-source Python library (distributed as pkg:pip/docling) used to parse and convert documents - increasingly in RAG and LLM ingestion pipelines. The flaw lives in the METS-GBS backend, which handles METS-GBS tar archives (a METS-based packaging format for digitized books/Google Books-style content). Two root causes combine: an unsafe XML parser that resolved external entities and DTDs (classic XXE) and an archive extractor with no size/member limits. The assigned CWE-409 (Improper Handling of Highly Compressed Data / decompression bomb) captures the resource-exhaustion half; the advisory and tags also explicitly cite XXE, which is a CWE-611 class issue. The fix in 2.91.0 hardens XML parsing with resolve_entities=False, load_dtd=False, and no_network=True, and adds a _detect_mets_gbs() detector plus extraction limits (300 MB total, 10 MB per file, 1000 members) with cumulative tracking and early termination.
RemediationAI
Vendor-released patch: 2.91.0 - upgrade docling to 2.91.0 or later (pip install --upgrade 'docling>=2.91.0'), which enforces secure XML parsing (resolve_entities=False, load_dtd=False, no_network=True) and extraction limits (300 MB total, 10 MB per file, 1000 members). If you cannot upgrade immediately, the vendor workaround is to avoid processing METS-GBS archives from untrusted sources; where such processing is required, pre-validate archives in an isolated sandbox with strict CPU, memory, and disk quotas (the trade-off is added pipeline latency and operational overhead) and disable or gate the METS-GBS ingestion path so only trusted, size-bounded inputs reach the backend. See the advisory https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv and release notes https://github.com/docling-project/docling/releases/tag/v2.91.0 (fix PR #3336, commit c1dbac2).
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39790
GHSA-r3xg-rg9j-67fv