CVE-2026-31248 Overview
CVE-2026-31248 affects the Docling document parser through version 2.61.0. The METS GBS backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. Attackers can submit a crafted archive containing an XML file with nested entity definitions, commonly known as an XML Bomb. When Docling parses the file, exponential entity expansion exhausts memory and CPU resources. The result is a denial of service (DoS) on the system running the parser. The flaw is categorized as Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) [CWE-776].
Critical Impact
Remote attackers can trigger resource exhaustion and crash document processing services by submitting a malicious .tar.gz archive without authentication or user interaction.
Affected Products
- Docling document parser through version 2.61.0
- Docling METS GBS backend component
- Applications and services that embed Docling for document ingestion
Discovery Timeline
- 2026-05-11 - CVE-2026-31248 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-31248
Vulnerability Analysis
Docling's METS GBS backend processes archives that bundle METS (Metadata Encoding and Transmission Standard) XML descriptors alongside content files. The backend opens the .tar.gz archive, extracts the embedded XML, and passes it directly to etree.fromstring() from the lxml library. The parser is invoked with default options, which leave external entity resolution and internal entity expansion enabled. An attacker who controls the archive contents controls the XML payload the parser receives.
XML Entity Expansion abuses recursive entity declarations to multiply a small input into gigabytes of in-memory data. The canonical Billion Laughs pattern defines an entity that references another entity multiple times, which in turn references a third entity, and so on. Each parsing layer expands references exponentially, exhausting heap memory and CPU cycles before the document is fully materialized. The Docling worker process becomes unresponsive or terminates, denying service to all queued documents.
Root Cause
The root cause is the use of etree.fromstring() without a hardened parser configuration. The function does not disable entity resolution by default, so any document type definition (DTD) declared inside the XML is processed. The METS GBS backend performs no pre-parse size checks, entity-count limits, or DTD stripping before handing the buffer to the XML parser.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker uploads, submits, or otherwise causes Docling to ingest a .tar.gz archive that contains a crafted METS XML file. The archive layout matches what the backend expects, so extraction succeeds. Once etree.fromstring() begins parsing, entity expansion consumes available memory until the process is killed or the host becomes unresponsive.
No verified public proof-of-concept code is available. Defenders can reference the Docling project repository and the CVE-2026-31248 advisory notes for technical context.
Detection Methods for CVE-2026-31248
Indicators of Compromise
- Docling worker processes consuming abnormal amounts of resident memory shortly after archive ingestion.
- Repeated out-of-memory (OOM) kills or process crashes in Docling service logs correlated with .tar.gz uploads.
- METS XML payloads containing nested <!ENTITY> declarations or DTD blocks referencing other entities recursively.
- Submitted archives with unusually small XML files that produce disproportionate parser runtime.
Detection Strategies
- Inspect ingested XML files for <!DOCTYPE> declarations and nested entity definitions before they reach the parser.
- Monitor Docling host metrics for sudden CPU saturation or memory spikes scoped to the parser process.
- Alert on etree.fromstring() call traces that exceed a defined parse time threshold.
- Correlate archive uploads with subsequent process termination events in container or systemd logs.
Monitoring Recommendations
- Set per-process memory and CPU ceilings on Docling workers and capture telemetry when limits are hit.
- Forward Docling application logs and host resource metrics to a centralized analytics platform for correlation.
- Track the volume of .tar.gz submissions per source identity and flag anomalous bursts.
How to Mitigate CVE-2026-31248
Immediate Actions Required
- Upgrade Docling to a release later than 2.61.0 that addresses the METS GBS backend parsing path.
- Disable or restrict the METS GBS backend until the patched version is deployed.
- Place Docling workers behind an ingestion proxy that rejects archives containing XML with DTD declarations.
- Apply strict resource limits (cgroups, container quotas) so a single malicious document cannot exhaust the host.
Patch Information
The vulnerability is reported in Docling versions through 2.61.0. Refer to the Docling project repository for the current patched release and changelog entries that disable entity resolution in the METS GBS backend.
Workarounds
- Configure the XML parser with resolve_entities=False and no_network=True, and reject input containing a DTD before parsing.
- Pre-scan .tar.gz payloads and drop any contained XML that includes <!DOCTYPE or <!ENTITY declarations.
- Run Docling in a sandboxed container with hard memory limits and automatic restart on OOM.
- Rate-limit document submissions per tenant or user to reduce the blast radius of repeated DoS attempts.
# Example hardened lxml parser configuration
# (illustrative remediation pattern, not vendor-supplied code)
from lxml import etree
parser = etree.XMLParser(
resolve_entities=False,
no_network=True,
huge_tree=False,
dtd_validation=False,
load_dtd=False,
)
tree = etree.fromstring(xml_bytes, parser=parser)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
