Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from Vendor (https://github.com/docling-project/docling) · only source for this CVE.
CVSS VectorVendor: https://github.com/docling-project/docling
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 pypi packages depend on docling (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.94.0.
DescriptionCVE.org
Impact
The HTML backend did not perform sufficient validation during resource handling:
- Accepted
file://URIs enabling local file system access whenenable_local_fetch=True - Path resolution allowed traversal outside intended directories via
../sequences and absolute paths - Did not block internal network resources under
enable_remote_fetch=True - HTTP redirects were not validated, potentially redirecting to unintended schemes
- No resource limits for remote image downloads and
data:URIs
Patches
Fixed in versions 2.91.0 (initial fixes) and 2.94.0 (additional improvements). The fixes implement:
- Updated local path treatment: absolute files always blocked, relative paths require
enable_local_fetch=True(default: False) and containment within configuredbase_pathfor path traversal protection file://scheme stripped & treated as local path (above)- IP address validation to prevent SSRF
- HTTP redirect validation, connection and read timeouts
- Size limit for both remote images (with streaming download) and base64-decoded data URIs
Workarounds
Keep both enable_local_fetch=False and enable_remote_fetch=False (defaults) when processing untrusted HTML documents.
References
AnalysisAI
Path traversal and SSRF in Docling's HTML backend allow attackers to coerce the document processor into reading local files, contacting internal network resources, and consuming unbounded resources when a crafted HTML document is processed with non-default fetch flags enabled. The flaw affects the docling Python package prior to 2.94.0 and stems from missing validation of file:// URIs, relative/absolute paths, HTTP redirects, and download sizes; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Docling is an IBM-originated open-source Python library (pkg:pip/docling) used to parse and convert documents (HTML, DOCX, PPTX, PDF, etc.) into structured representations, frequently embedded in document-ingestion and RAG pipelines. The vulnerable component is the HTML backend's resource resolver, which fetches images and other linked assets referenced from an input HTML document. The root cause maps to CWE-73 (External Control of File Name or Path): user-controlled URIs in HTML were passed to file and network handlers without scheme allow-listing, IP filtering, redirect validation, or size caps, simultaneously enabling local file disclosure via file:// and ../ traversal and server-side request forgery against internal IPs when enable_remote_fetch was active. The 2.91.0 and 2.94.0 fixes add absolute-path blocking, base_path containment, file:// stripping, IP address validation, redirect/timeout enforcement, and streaming size limits for remote images and data: URIs.
RemediationAI
Vendor-released patch: upgrade docling to 2.94.0 or later (pip install --upgrade 'docling>=2.94.0'); 2.91.0 contains partial fixes but 2.94.0 is required for full coverage, per the release notes at https://github.com/docling-project/docling/releases/tag/v2.91.0 and https://github.com/docling-project/docling/releases/tag/v2.94.0. If upgrading immediately is not feasible, the vendor-recommended workaround is to keep both enable_local_fetch=False and enable_remote_fetch=False (the defaults) when processing untrusted HTML, which fully neutralizes the file:// and SSRF paths at the cost of losing the ability to inline local images or follow remote image references during conversion. For pipelines that must render images, run docling inside a network-egress-restricted sandbox that denies RFC1918 destinations and local filesystem access outside a dedicated working directory, and constrain base_path to a non-sensitive scratch directory; this preserves functionality but trades operational complexity for safety. Full advisory: https://github.com/docling-project/docling/security/advisories/GHSA-q29v-xc37-wh5m.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39791
GHSA-q29v-xc37-wh5m