python · doclingCritical
docling HTML backend security fixes for file access, SSRF, and redirect vulnerabilities
Security fixes in docling HTML backend: patched multiple vulnerabilities including local file access via file:// URIs, path traversal, SSRF, unvalidated HTTP re
What changed
Security fixes in docling HTML backend: patched multiple vulnerabilities including local file access via file:// URIs, path traversal, SSRF, unvalidated HTTP redirects, and missing resource limits.
Who it affects
Users of docling versions prior to 2.91.0 who process untrusted HTML documents with enable_local_fetch or enable_remote_fetch enabled.
What to do today
Upgrade to version 2.94.0 or later, or ensure both enable_local_fetch and enable_remote_fetch are False when processing untrusted HTML.
The trail
Collected→
Audited→
Written→
Published