Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from Vendor (https://github.com/docling-project/docling) · only source for this CVE.
CVSS VectorVendor: https://github.com/docling-project/docling
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences (e.g., ../../../etc/passwd) to:
- Read arbitrary files from the file system accessible to the process
- Include sensitive files in the converted document output
- Potentially access configuration files, credentials, or other sensitive data
Patches
Fixed in version 2.91.0. The fix implements strict path validation using Path.resolve().is_relative_to() to ensure all resolved paths remain within the base document directory. Attempts to traverse outside the base directory are logged and blocked.
Workarounds
Avoid processing untrusted LaTeX documents. If processing is necessary, run in a sandboxed environment with restricted file system access.
References
- Fix release: v2.91.0
AnalysisAI
Path traversal in Docling's LaTeX backend (pip/docling versions 2.73.0 through 2.90.x) allows an attacker who supplies a crafted LaTeX document to read arbitrary files accessible to the conversion process via the \includegraphics, \input, and \include command handlers. With a high confidentiality impact (C:H) but local attack vector and required user interaction (AV:L/UI:R per CVSS), the practical risk is concentrated in automated document-processing pipelines or services that ingest untrusted .tex files. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. A vendor-released patch exists as of version 2.91.0.
Technical ContextAI
Docling is a Python-based document conversion library (pip/docling) that includes a LaTeX backend for processing .tex files. The backend interprets LaTeX commands including \includegraphics (for images), \input, and \include (for sub-document inclusion), all of which accept file path arguments. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) describes the root cause: the backend resolved these paths without verifying the resolved canonical path remained within the base document directory. An attacker can embed sequences such as \includegraphics{../../../etc/passwd} to escape the working directory. The fix introduced in 2.91.0 applies Python's Path.resolve().is_relative_to() to canonicalize the requested path and confirm it is a descendant of the base document directory before any file access is performed, with violations logged and blocked.
RemediationAI
Upgrade docling to version 2.91.0 or later using pip install --upgrade docling. This version implements strict path containment via Path.resolve().is_relative_to() in the LaTeX macro handlers (commit 65ef180, PR #3330) and is the authoritative fix per the vendor advisory at https://github.com/docling-project/docling/security/advisories/GHSA-2j5p-7p5m-cvqr. If an immediate upgrade is not feasible, the vendor-recommended workaround is to avoid processing untrusted LaTeX documents entirely. If processing untrusted input is operationally required and patching is delayed, run the Docling process inside a sandboxed environment with filesystem access restricted to only the document working directory - for example, using Linux namespaces, Docker with a read-only rootfs and explicit volume mounts, or seccomp/AppArmor profiles that deny open() calls to sensitive filesystem paths. Note that sandboxing is a compensating control, not a substitute for patching: any misconfiguration of the sandbox boundary may leave traversal paths partially accessible.
Same weakness CWE-22 – Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39005
GHSA-2j5p-7p5m-cvqr