Listen to this Post
This vulnerability resides in Docling’s LaTeX backend, which processes documents for conversion. The core issue is a lack of path containment validation for the \includegraphics, \input, and `\include` LaTeX commands. An attacker can craft a malicious LaTeX document that uses path traversal sequences, such as ../../../etc/passwd, to read arbitrary files from the server’s filesystem. Because the backend doesn’t check if a requested file path stays within the intended base directory, it resolves and follows the traversal sequence, allowing access to sensitive system files like /etc/passwd, configuration files, or credentials. This access can then lead to the inclusion of these sensitive files in the final converted document output, effectively exfiltrating the data. The fix, introduced in version 2.91.0, implements strict validation using `Path.resolve().is_relative_to()` to ensure all resolved paths remain within the base document directory, blocking any traversal attempts.
DailyCVE Form:
Platform: Docling
Version: 2.73.0–2.91.0
Vulnerability: Path Traversal
Severity: Medium (CVSS 5.5)
Date: Jun 02, 2026
Prediction: Already Patched (Apr 23)
What Undercode Say:
Check installed Docling version
pip show docling | grep Version
Detected version <2.91.0 → Vulnerable
Exploit payload inside malicious LaTeX file
\input{../../../etc/passwd}
\includegraphics{../../../etc/shadow}
Simulate log after fix (v2.91.0+)
WARNING: Path traversal attempt blocked for input file: ../../../etc/passwd
Exploit:
Create a LaTeX file (exploit.tex) with `\input{../../../etc/passwd}` or similar. Process it with docling exploit.tex. The vulnerable version will read and output the target file content. The fix blocks this by validating that img_full_path.resolve().is_relative_to(base_dir); if false, the attempt is logged and rejected.
Protection:
Upgrade: Update Docling to version 2.91.0 or later (pip install --upgrade docling).
Workaround: Avoid processing untrusted LaTeX documents. If necessary, use a sandboxed environment with restricted filesystem access.
Impact:
An attacker can read arbitrary files from the server, including /etc/passwd, configuration files, or credentials. This can lead to privilege escalation or lateral movement if sensitive data is leaked. The issue affects all versions of `pip/docling` from 2.73.0 up to (but not including) 2.91.0.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
