GHSA-CJQG-RQ2H-2FVJ
Vulnerability from github – Published: 2026-06-03 20:02 – Updated: 2026-06-03 20:02Impact
In versions < 2.91.0, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source (via supply chain attack, DNS spoofing, or MITM), they could write arbitrary files to any location writable by the process, potentially achieving:
- Remote code execution by overwriting Python files or system binaries
- Persistent backdoors by modifying startup scripts or SSH keys
- Data corruption or system compromise
Patches
Fixed in version 2.91.0. The extraction process now validates each archive member path using os.path.realpath() to ensure it remains within the target directory, raising a SecurityError for any path traversal attempts.
Workarounds
Ensure model downloads occur over secure, authenticated channels. Use integrity verification (checksums) for downloaded models. Run the application with minimal file system permissions.
References
- Fix release: v2.91.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "docling"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.91.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44017"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-03T20:02:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nIn versions `\u003c 2.91.0`, The EasyOCR model download functionality extracted ZIP archives without validating member paths, enabling Zip Slip attacks. If an attacker could compromise the model download source (via supply chain attack, DNS spoofing, or MITM), they could write arbitrary files to any location writable by the process, potentially achieving:\n- Remote code execution by overwriting Python files or system binaries\n- Persistent backdoors by modifying startup scripts or SSH keys\n- Data corruption or system compromise\n\n### Patches\nFixed in version 2.91.0. The extraction process now validates each archive member path using `os.path.realpath()` to ensure it remains within the target directory, raising a `SecurityError` for any path traversal attempts.\n\n### Workarounds\nEnsure model downloads occur over secure, authenticated channels. Use integrity verification (checksums) for downloaded models. Run the application with minimal file system permissions.\n\n### References\n- Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)",
"id": "GHSA-cjqg-rq2h-2fvj",
"modified": "2026-06-03T20:02:42Z",
"published": "2026-06-03T20:02:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/security/advisories/GHSA-cjqg-rq2h-2fvj"
},
{
"type": "PACKAGE",
"url": "https://github.com/docling-project/docling"
},
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/releases/tag/v2.91.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Docling: Unsafe Zip Extraction in EasyOCR Model Download"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.