A high-severity vulnerability has been identified in the Docling Core library, a component used across multiple Docling products for document processing. This flaw allows an unauthenticated attacker to execute arbitrary code on the server by tricking the application into processing a specially crafted document. Successful exploitation could lead to a complete system compromise, resulting in data theft, service disruption, or further network intrusion.

The vulnerability exists within the docling-core library's document transformation module. Due to insufficient input validation when parsing complex data structures within a document, an attacker can craft a malicious file that triggers a deserialization flaw. When the application processes this malicious document, the flaw allows the attacker to execute arbitrary code with the same privileges as the Docling application service, leading to a full remote code execution (RCE) on the underlying server.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could have a significant negative impact on the business. An attacker could gain control of the server hosting the Docling application, enabling them to exfiltrate sensitive company or customer data, install ransomware, disrupt critical business operations that rely on the software, or use the compromised server as a pivot point to attack other internal systems. The potential consequences include major data breaches, financial loss, operational downtime, and severe reputational damage.

Immediate Action: Apply the security updates provided by Docling to all affected systems immediately. Prioritize patching on internet-facing systems. After patching, monitor application and system logs for any signs of exploitation attempts that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should monitor for anomalous behavior on servers running Docling applications. This includes looking for unexpected processes being spawned by the application's user account, unusual outbound network connections to unknown destinations, and application error logs indicating failures or crashes related to document parsing.

Compensating Controls: If immediate patching is not feasible, consider implementing temporary controls. These include restricting document uploads to trusted sources only, using a Web Application Firewall (WAF) with rules designed to inspect and block malformed document uploads, and ensuring the Docling application runs with the lowest possible privileges in a sandboxed or containerized environment to limit the impact of a potential compromise.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the risk of remote code execution, this vulnerability represents a critical threat to the organization. We strongly recommend that all system owners identify affected Docling products within their environments and apply the vendor-supplied patches as a top priority. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and a tempting target for attackers. Immediate remediation is crucial to prevent a potential system compromise.