docling-core CVE-2026-44019
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
In versions >= 2.5.0, < 2.74.1, docling-core could allow local file:// image references and accepted inline data: content without a decoded-size limit.
In applications that accept untrusted image references, this may allow access to local files readable by the process or excessive memory use from large inline payloads.
Patches
Patched in docling-core 2.74.1. The fix blocks local file URIs by default and adds a size limit for decoded inline image data.
Users should upgrade to:
docling-core>= 2.74.1
Workarounds
If upgrading is not immediately possible:
- reject
file:anddata:image references from untrusted input - allow only approved local or remote image sources
- apply input size and memory limits to processing workers
References
- Fix release:
v2.74.1
AnalysisAI
Improper URI validation in docling-core versions 2.5.0 through 2.74.0 lets remote attackers supplying crafted image references read arbitrary local files readable by the processing user or exhaust memory via oversized inline data: payloads. The flaw exists because the library accepted file:// references and did not enforce a decoded-size cap on inline base64 image content. No public exploit identified at time of analysis, but the GitHub advisory GHSA-j5xp-7m2f-49jv confirms the issue and a fixed release (2.74.1) is available.
Technical ContextAI
docling-core is a Python library (pkg:pip/docling-core) used to parse and serialize document content including embedded image references via ImageRef objects. The root cause maps to CWE-73 (External Control of File Name or Path): the ImageRef URI handler trusted user-supplied schemes, accepting file:// URIs that resolve to paths on the host filesystem and data: URIs whose base64 payloads were decoded without a size ceiling. When an upstream application - such as a document-ingestion pipeline, RAG indexer, or AI agent that feeds untrusted documents into docling-core - passed attacker-controlled image references, the library would either dereference local paths or allocate memory proportional to the inline payload. The 2.74.1 fix (commit 2087d0f, PR #595 'Refine ImageRef URI handling') blocks file:// URIs by default and enforces a decoded-size limit on inline data.
RemediationAI
Apply the vendor-released patch: upgrade docling-core to version 2.74.1 or later (https://github.com/docling-project/docling-core/releases/tag/v2.74.1), which blocks file:// URIs by default and adds a decoded-size limit for inline data: image payloads (PR #595, commit 2087d0f). Where an immediate upgrade is not feasible, reject file: and data: schemes in image references coming from untrusted input before passing documents to docling-core, restrict accepted image sources to an allowlist of approved local or remote origins (note: an allowlist may break legitimate workflows that depend on embedded base64 thumbnails or local-path references in trusted pipelines), and enforce input-size and per-worker memory limits to contain decoded-payload growth (trade-off: legitimate large images may be rejected, so tune limits against expected document sizes). Full advisory details and remediation guidance are at https://github.com/advisories/GHSA-j5xp-7m2f-49jv.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j5xp-7m2f-49jv