PT-2026-59126 · Pypi · Docling-Core

Publicado

2026-07-13

·

Atualizado

2026-07-13

CVSS v3.1

8.6

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Impact

In versions >= 1.5.0, < 2.74.1, docling-core did not sufficiently restrict remote request destinations and could resolve a server-provided Content-Disposition to a local path in an unsafe manner.
In applications that accept untrusted URLs, this could allow SSRF attacks targeting local files outside the user-defined cache directory.

Patches

Patched in docling-core 2.74.1. The fix adds stricter validation for remote destinations and normalizes server-provided filenames before use.
Users should upgrade to:
  • docling-core >= 2.74.1

Workarounds

If upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality.

References

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-2457

Produtos afetados

Docling-Core