Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The URLInputHandler class in docling_graph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no IP-level validation. Additionally, requests.head() was called with allow_redirects=True, allowing an attacker to redirect requests to internal endpoints via an intermediary URL.
An attacker who can control the --source CLI argument or PipelineConfig.source API parameter can trigger Server-Side Request Forgery (SSRF) to reach:
- Cloud metadata endpoints (e.g.
169.254.169.254) to steal IAM credentials - Internal services on loopback (
127.0.0.1) or private network ranges (10.x,172.16.x,192.168.x)
This affects deployments where docling-graph processes URLs from untrusted input, such as multi-tenant pipelines or server-side automation.
Patches
The vulnerability is fixed in v1.5.1.
Users should upgrade immediately:
pip install --upgrade docling-graphThe fix adds IP validation via ipaddress and socket.gethostbyname() before any request is made, blocks private/loopback/link-local/reserved addresses, and disables redirect following (allow_redirects=False) with explicit validation of any Location header before following it.
Workarounds
If upgrading is not immediately possible, ensure that all URLs passed to URLInputHandler come exclusively from trusted, internal sources, never from user-supplied or external input. There is no safe code-level workaround short of applying the patch, as the vulnerability is in the library itself.
Resources
AnalysisAI
Server-Side Request Forgery in docling-graph versions up to 1.5.0 allows authenticated attackers with user interaction to bypass IP validation and reach private, loopback, and cloud metadata endpoints by supplying arbitrary URLs to the URLInputHandler class or via the --source CLI argument. The vulnerability combines missing internal IP address validation with unrestricted HTTP redirects (allow_redirects=True), enabling theft of cloud IAM credentials and access to internal services on 127.0.0.1, 10.x, 172.16.x, 192.168.x, and 169.254.169.254 address ranges. Vendor-released patch: v1.5.1.
Technical ContextAI
The URLInputHandler class in docling_graph/core/input/handlers.py processes user-supplied URLs but fails to validate whether HTTP requests resolve to private, loopback, link-local, or reserved IP address ranges before making requests. The URLValidator performs only superficial checks-validating scheme and non-empty netloc-without any IP-level filtering. Additionally, the requests.head() call was configured with allow_redirects=True, permitting HTTP Location header redirects to internal endpoints without validation. The root cause is CWE-918 (Server-Side Request Forgery) combined with CWE-601 (URL Redirection to Untrusted Site). The library uses the Python requests library for HTTP operations, which follows redirects by default. The fix implements IP validation using the ipaddress and socket.gethostbyname() modules to block private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and reserved address ranges before any request is made, and disables automatic redirect following in favor of explicit Location header validation.
RemediationAI
Upgrade docling-graph to version 1.5.1 or later immediately via pip install --upgrade docling-graph. The patch adds IP validation using ipaddress and socket.gethostbyname() to block private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local (169.254.0.0/16), and reserved address ranges before making any HTTP request, and sets allow_redirects=False with explicit Location header validation. As a temporary workaround only for environments that cannot immediately patch, restrict URL input exclusively to trusted, internal sources and never accept URLs from user-supplied or external input via CLI arguments or API parameters; however, no safe code-level workaround exists within the vulnerable library version itself. Monitor container registries and dependency management systems to ensure all instances of docling-graph are updated. Review logs for any historical requests to IP ranges 127.0.x.x, 169.254.x.x, 10.x.x.x, 172.16-31.x.x, or 192.168.x.x to identify potential exploitation.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30340
GHSA-fqph-j6v6-jvgx