Skip to main content

Docling CVE-2026-44020

| EUVDEUVD-2026-39004 HIGH
Improper Restriction of Recursive Entity References in DTDs (CWE-776)
2026-06-03 https://github.com/docling-project/docling GHSA-m88r-rg27-5xfg
7.5
CVSS 3.1 · Vendor: https://github.com/docling-project/docling
Share

Severity by source

Vendor (https://github.com/docling-project/docling) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
9.4 HIGH
qualitative

Primary rating from Vendor (https://github.com/docling-project/docling).

CVSS VectorVendor: https://github.com/docling-project/docling

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 03, 2026 - 21:45 vuln.today
Analysis Generated
Jun 03, 2026 - 21:45 vuln.today

DescriptionCVE.org

Impact

The USPTO patent XML parser used the standard xml.sax.parseString() without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could:

  • Read arbitrary files from the server filesystem
  • Perform Server-Side Request Forgery (SSRF) attacks
  • Cause denial of service through entity expansion (Billion Laughs attack)

The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x.

Patches

Fixed in version 2.74.0. The parser now uses defusedxml.sax.make_parser() with secure configuration that blocks external entity resolution (feature_external_ges=False, feature_external_pes=False) while allowing DTD declarations required by USPTO files. This prevents XXE attacks while maintaining compatibility with the USPTO XML format.

Workarounds

Avoid processing USPTO patent XML files from untrusted sources. Implement resource limits (memory, CPU time) when processing patent documents.

References

AnalysisAI

XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.

Technical ContextAI

Docling is a Python document-processing library (pip/docling) that ingests multiple document formats, including USPTO patent XML. The vulnerable code path calls the standard library's xml.sax.parseString() on attacker-controlled XML without disabling external entity resolution, which maps to CWE-776 (Improper Restriction of Recursive Entity References, 'Billion Laughs'). Because xml.sax in CPython honors external general entities and parameter entities by default, a malicious DOCTYPE/ENTITY block can reference local files (file://), remote URLs (http://), or recursively expanded entities, yielding the classic XXE triad of file disclosure, SSRF, and resource-exhaustion DoS. The fix replaces the parser with defusedxml.sax.make_parser() and sets feature_external_ges=False and feature_external_pes=False while still allowing DTD declarations, which the USPTO format legitimately requires.

RemediationAI

Vendor-released patch: upgrade docling to 2.74.0 or later (pip install --upgrade 'docling>=2.74.0'); the fix replaces xml.sax with defusedxml.sax and disables external general and parameter entities while preserving DTD support needed by USPTO files, as documented at https://github.com/docling-project/docling/releases/tag/v2.74.0 and commit 576bada. If immediate upgrade is not possible, stop processing USPTO patent XML from untrusted sources (the vendor's stated workaround) and route any required ingestion through a sandboxed worker with no outbound network egress and read-only filesystem access to neutralize SSRF and file-read impact; additionally, apply per-job memory and CPU limits (for example via cgroups, ulimit, or container resource limits) to bound the Billion Laughs DoS, accepting that legitimate large patents may be rejected. Network-layer egress filtering blocking the worker from reaching internal metadata endpoints (169.254.169.254) and internal RFC1918 ranges further reduces SSRF blast radius until the upgrade lands.

Vendor StatusVendor

Share

CVE-2026-44020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy