Open-Source Security Intelligence

Know every vulnerability
before it knows you.

DevGuard continuously monitors your dependencies and alerts you when CVEs like this one affect your stack — with real-time threat intelligence built for developers.

Checkout DevGuard View on GitHub

GHSA-cjqg-rq2h-2fvj

HighCVSS 7.5 / 10

Published Jun 3, 2026·Last modified Jun 3, 2026

Affected Components(1)

docling

< 2.91.0

Description

Impact

In versions < 2.91.0, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source (via supply chain attack, DNS spoofing, or MITM), they could write arbitrary files to any location writable by the process, potentially achieving:

Remote code execution by overwriting Python files or system binaries
Persistent backdoors by modifying startup scripts or SSH keys
Data corruption or system compromise

Patches

Fixed in version 2.91.0. The extraction process now validates each archive member path using os.path.realpath() to ensure it remains within the target directory, raising a SecurityError for any path traversal attempts.

Workarounds

Ensure model downloads occur over secure, authenticated channels. Use integrity verification (checksums) for downloaded models. Run the application with minimal file system permissions.

References

Fix release: v2.91.0

Risk Scores

Base Score

7.5

The vulnerability can be exploited over the network without needing physical access. It is difficult for an attacker to exploit this vulnerability and may require special conditions. An attacker does not need any special privileges or access rights. The attacker needs the user to perform some action, like clicking a link. The impact is confined to the system where the vulnerability exists. There is a high impact on the confidentiality of the information. There is a high impact on the integrity of the data. There is a high impact on the availability of the system.

Threat Intelligence

6.9

Exploitation attempts have been detected. Elevated vigilance and prompt remediation are advised.

EPSS

N/A

Probability that this vulnerability will be exploited in the wild within the next 30 days.

Exploit

Not available

We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database.

Browse More

High severity

Scan your project

Continuously monitor your dependencies and get alerted when vulnerabilities like this one affect your stack.