Executive Summary

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks in versions up to 2.61.0. The vulnerability arises because the backend processes XML files extracted from .tar.gz archives using etree.fromstring() without disabling entity resolution.

An attacker can craft a malicious XML file containing nested entity definitions, often called an XML Bomb, and package it into a .tar.gz archive. When Docling processes this archive, the XML parser expands these entities exponentially, consuming excessive system resources.

This excessive resource consumption leads to a denial of service (DoS) condition on the system running the Docling parser.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) on systems running the Docling METS GBS backend by exhausting system resources during XML parsing.

An attacker exploiting this vulnerability can disrupt normal operations by sending specially crafted XML files that trigger excessive CPU and memory usage, potentially making the service unavailable.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability arises because Docling's METS GBS backend uses etree.fromstring() to parse XML files without disabling entity resolution, allowing XML Entity Expansion (XXE) attacks that cause denial of service through resource exhaustion.

To mitigate this vulnerability immediately, you should avoid processing untrusted or malicious .tar.gz archives containing XML files with Docling until a fix or update is available.

Additionally, consider implementing XML parsing configurations that disable entity resolution or use safer XML parsing libraries that prevent entity expansion.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify how the XML Entity Expansion (XXE) vulnerability in Docling's METS GBS backend affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0