DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24009: YAML Deserialization: The Gift That Keeps on Giving in Docling-Core

#security #cve #cybersecurity

YAML Deserialization: The Gift That Keeps on Giving in Docling-Core

Vulnerability ID: CVE-2026-24009
CVSS Score: 8.1
Published: 2026-01-22

A classic remote code execution vulnerability in the docling-core library caused by the insecure use of PyYAML's FullLoader, allowing attackers to turn document processing pipelines into remote shells.

TL;DR

The docling-core library, used for processing and modeling documents, contained a critical vulnerability in its YAML loading mechanism. By explicitly using yaml.FullLoader instead of SafeLoader, the library allowed the deserialization of arbitrary Python objects. This means if you can get the application to parse a malicious YAML file, you can execute code on the server. The fix is a one-line change to SafeLoader in version 2.48.4.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-502
  • Attack Vector: Network
  • CVSS: 8.1 (High)
  • Impact: Remote Code Execution (RCE)
  • Vulnerable Component: docling_core.types.doc.DoclingDocument.load_from_yaml
  • Gadget Chain: PyYAML !!python/object/apply

Affected Systems

  • docling-core < 2.48.4
  • Applications implementing docling-core for document ingestion
  • AI/ML pipelines using docling for data preprocessing
  • docling-core: >= 2.21.0, < 2.48.4 (Fixed in: 2.48.4)

Code Analysis

Commit: 3e8d628

fix: use SafeLoader for yaml load

-            data = yaml.load(f, Loader=yaml.FullLoader)
+            data = yaml.load(f, Loader=yaml.SafeLoader)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Common Knowledge: Standard PyYAML FullLoader deserialization bypass using os.system gadget.

Mitigation Strategies

  • Upgrade docling-core to version 2.48.4 or later.
  • Identify all usages of PyYAML in your codebase and enforce Loader=yaml.SafeLoader.
  • Block file uploads containing YAML extensions if they are not strictly required.
  • Run document processing pipelines in strictly sandboxed environments (gVisor, Firecracker) with no egress network access.

Remediation Steps:

  1. Locate the dependency declaration (requirements.txt, pyproject.toml).
  2. Update docling-core to >=2.48.4.
  3. Rebuild and redeploy the application.
  4. Audit logs for any past errors related to YAML parsing that might indicate attempted exploitation.

References

Read the full report for CVE-2026-24009 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)