Information disclosure via XML External Entity (XXE) vulnerability
Summary
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.13.0 until 2.74.0, the USPTO patent XML parser used the standard xml.sax.parseString() without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could read arbitrary files from the server filesystem, perform Server-Side Request Forgery (SSRF) attacks, or cause denial of service through entity expansion (Billion Laughs attack). The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x. This vulnerability is fixed in 2.74.0. A flaw was found in docling. An attacker could exploit an XML External Entity (XXE) vulnerability in the USPTO patent XML parser by crafting malicious XML files. This could allow the attacker to read arbitrary files from the server's filesystem, perform Server-Side Request Forgery (SSRF) attacks, or cause a denial of service by consuming system resources through entity expansion. This is an Important vulnerability in docling, as shipped with Red Hat OpenShift AI, due to an XML External Entity (XXE) flaw in its USPTO patent XML parser. An attacker could exploit this by providing specially crafted XML files, leading to unauthorized access to local files, Server-Side Request Forgery (SSRF), or denial of service. The broad impact on data confidentiality and system availability elevates this to an Important severity. Red Hat severity: Important — CVSS 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H). Weakness: CWE-611. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Red Hat rates this important; a fix erratum may not be out yet — apply the RHSA as soon as it publishes.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.