docling-core 2.23.0

Direct Vulnerabilities

Known vulnerabilities in the docling-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H External Control of File Name or Path docling-core is an A python library to define and validate data types in Docling. Affected versions of this package are vulnerable to External Control of File Name or Path in the `pil_image()` function, when handling image reference URIs. An attacker can access local files using the `file://` scheme, or cause excessive memory consumption with a reference using the `data:` scheme that points to a very large image payload. How to fix External Control of File Name or Path? Upgrade `docling-core` to version 2.74.1 or higher.	[2.5.0,2.74.1)
H Server-side Request Forgery (SSRF) docling-core is an A python library to define and validate data types in Docling. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the `resolve_remote_filename()` function, which processes headers from remote requests. An attacker can access sensitive files or internal resources by supplying malicious URLs in the `Content-Disposition` parameter that are resolved to unintended local paths. How to fix Server-side Request Forgery (SSRF)? Upgrade `docling-core` to version 2.74.1 or higher.	[1.5.0,2.74.1)
C Deserialization of Untrusted Data docling-core is an A python library to define and validate data types in Docling. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the `load_from_yaml` function. An attacker can execute arbitrary code by providing malicious YAML input to the deserialization process. Note: This is only exploitable if the application uses a vulnerable version of PyYAML (below 5.4) and invokes the affected function with untrusted YAML data - See CVE-2020-14343. How to fix Deserialization of Untrusted Data? Upgrade `docling-core` to version 2.48.4 or higher.	[2.21.0,2.48.4)

Vulnerability

Vulnerable Version

External Control of File Name or Path

docling-core is an A python library to define and validate data types in Docling.

Affected versions of this package are vulnerable to External Control of File Name or Path in the pil_image() function, when handling image reference URIs. An attacker can access local files using the file:// scheme, or cause excessive memory consumption with a reference using the data: scheme that points to a very large image payload.

How to fix External Control of File Name or Path?

Upgrade docling-core to version 2.74.1 or higher.

[2.5.0,2.74.1)

Server-side Request Forgery (SSRF)

docling-core is an A python library to define and validate data types in Docling.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the resolve_remote_filename() function, which processes headers from remote requests. An attacker can access sensitive files or internal resources by supplying malicious URLs in the Content-Disposition parameter that are resolved to unintended local paths.

How to fix Server-side Request Forgery (SSRF)?

Upgrade docling-core to version 2.74.1 or higher.

[1.5.0,2.74.1)

Deserialization of Untrusted Data

docling-core is an A python library to define and validate data types in Docling.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the load_from_yaml function. An attacker can execute arbitrary code by providing malicious YAML input to the deserialization process.

Note: This is only exploitable if the application uses a vulnerable version of PyYAML (below 5.4) and invokes the affected function with untrusted YAML data - See CVE-2020-14343.

How to fix Deserialization of Untrusted Data?

Upgrade docling-core to version 2.48.4 or higher.

[2.21.0,2.48.4)

docling-core@2.23.0

A python library to define and validate data types in Docling.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically