Docling: Unsafe URI and Path Handling in HTML Backend
Description
Impact
The HTML backend did not perform sufficient validation during resource handling: - Accepted file:// URIs enabling local file system access when enable_local_fetch=True - Path resolution allowed traversal outside intended directories via ../ sequences and absolute paths - Did not block internal network resources under enable_remote_fetch=True - HTTP redirects were not validated, potentially redirecting to unintended schemes - No resource limits for remote image downloads and data: URIs
Patches
Fixed in versions 2.91.0 (initial fixes) and 2.94.0 (additional improvements). The fixes implement: - Updated local path treatment: absolute files always blocked, relative paths require enable_local_fetch=True (default: False) and containment within configured base_path for path traversal protection - file:// scheme stripped & treated as local path (above) - IP address validation to prevent SSRF - HTTP redirect validation, connection and read timeouts - Size limit for both remote images (with streaming download) and base64-decoded data URIs
Workarounds
Keep both enable_local_fetch=False and enable_remote_fetch=False (defaults) when processing untrusted HTML documents.
### References - Initial fixes: v2.91.0 - Additional improvements: v2.94.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
doclingPyPI | < 2.94.0 | 2.94.0 |
Affected products
2- Range: >=2.91.0, <2.94.0
Patches
Vulnerability mechanics
References
4News mentions
1- Docling Project: Eight High-Severity Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 3, 2026