PT-2026-59126 · Pypi · Docling-Core
Publicado
2026-07-13
·
Atualizado
2026-07-13
CVSS v3.1
8.6
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Impact
In versions
>= 1.5.0, < 2.74.1, docling-core did not sufficiently restrict remote request destinations and could resolve a server-provided Content-Disposition to a local path in an unsafe manner.In applications that accept untrusted URLs, this could allow SSRF attacks targeting local files outside the user-defined cache directory.
Patches
Patched in
docling-core 2.74.1.
The fix adds stricter validation for remote destinations and normalizes server-provided filenames before use.Users should upgrade to:
docling-core>= 2.74.1
Workarounds
If upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality.
References
- Fix release:
v2.74.1
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Docling-Core