PT-2026-46104 · Pypi · Docling
Publicado
2026-06-03
·
Atualizado
2026-06-03
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L |
Impact
The HTML backend did not perform sufficient validation during resource handling:
- Accepted
file://URIs enabling local file system access whenenable local fetch=True - Path resolution allowed traversal outside intended directories via
../sequences and absolute paths - Did not block internal network resources under
enable remote fetch=True - HTTP redirects were not validated, potentially redirecting to unintended schemes
- No resource limits for remote image downloads and
data:URIs
Patches
Fixed in versions 2.91.0 (initial fixes) and 2.94.0 (additional improvements). The fixes implement:
- Updated local path treatment: absolute files always blocked, relative paths require
enable local fetch=True(default: False) and containment within configuredbase pathfor path traversal protection file://scheme stripped & treated as local path (above)- IP address validation to prevent SSRF
- HTTP redirect validation, connection and read timeouts
- Size limit for both remote images (with streaming download) and base64-decoded data URIs
Workarounds
Keep both
enable local fetch=False and enable remote fetch=False (defaults) when processing untrusted HTML documents.References
Correção
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Docling