Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Docling versions through 2.61.0 contain an XML External Entity (XXE) vulnerability in the METS GBS backend that enables denial-of-service attacks through XML Entity Expansion (also known as XML Bomb attacks). The vulnerability exists because the backend uses etree.fromstring() to parse XML files extracted from .tar.gz archives without disabling entity resolution. An attacker can craft a malicious tar.gz file containing an XML document with deeply nested entity definitions that expand exponentially during parsing, consuming excessive CPU and memory resources until the service becomes unavailable. This affects any organization or user relying on Docling for document processing, particularly those handling untrusted or user-supplied archive files.
While this CVE currently has zero mapped skills in Casky's 754-skill security framework, practitioners would detect attack patterns through behavioral anomalies characteristic of resource exhaustion attacks: sustained high CPU consumption during document processing, memory allocation spikes, and service timeouts triggered by specific archive uploads. Casky's Claude-powered analysis would correlate these indicators with CWE-776 (Improper Restriction of Rendered UI Layers or Frames) patterns and identify the attack chain as Denial of Service (T1499). Security teams should focus on input validation controls—specifically validating XML structure before processing and implementing resource limits on parsing operations—and monitor for suspicious tar.gz archives with oversized or recursively-defined XML payloads that deviate from normal document processing patterns.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-31248. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation