python · doclingCritical
docling v2.74.0 fixes XXE vulnerability in USPTO patent XML parsers
USPTO patent XML parsers (ICE v4.
What changed
USPTO patent XML parsers (ICE v4.x, Grant v2.5, Application v1.x) were vulnerable to XXE attacks due to using xml.sax.parseString() without protection. Fixed in v2.74.0 by using defusedxml.sax.make_parser() with secure configuration.
Who it affects
All users of docling processing USPTO patent XML files, especially those handling untrusted sources.
What to do today
Upgrade to docling version 2.74.0 or later immediately.
The trail
Collected→
Audited→
Written→
Published