Vulnerability	Vulnerable Version
H External Control of File Name or Path docling-core is an A python library to define and validate data types in Docling. Affected versions of this package are vulnerable to External Control of File Name or Path in the `pil_image()` function, when handling image reference URIs. An attacker can access local files using the `file://` scheme, or cause excessive memory consumption with a reference using the `data:` scheme that points to a very large image payload. How to fix External Control of File Name or Path? Upgrade `docling-core` to version 2.74.1 or higher.	[2.5.0,2.74.1)
H Server-side Request Forgery (SSRF) docling-core is an A python library to define and validate data types in Docling. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the `resolve_remote_filename()` function, which processes headers from remote requests. An attacker can access sensitive files or internal resources by supplying malicious URLs in the `Content-Disposition` parameter that are resolved to unintended local paths. How to fix Server-side Request Forgery (SSRF)? Upgrade `docling-core` to version 2.74.1 or higher.	[1.5.0,2.74.1)

External Control of File Name or Path

docling-core is an A python library to define and validate data types in Docling.

Affected versions of this package are vulnerable to External Control of File Name or Path in the pil_image() function, when handling image reference URIs. An attacker can access local files using the file:// scheme, or cause excessive memory consumption with a reference using the data: scheme that points to a very large image payload.

How to fix External Control of File Name or Path?

Upgrade docling-core to version 2.74.1 or higher.

[2.5.0,2.74.1)

Server-side Request Forgery (SSRF)

docling-core is an A python library to define and validate data types in Docling.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in the resolve_remote_filename() function, which processes headers from remote requests. An attacker can access sensitive files or internal resources by supplying malicious URLs in the Content-Disposition parameter that are resolved to unintended local paths.

How to fix Server-side Request Forgery (SSRF)?

Upgrade docling-core to version 2.74.1 or higher.

[1.5.0,2.74.1)

Go back to all versions of this package