A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core >=2.21.0, <2.48.4 and, specifically only if the application uses pyyaml < 5.4 and invokes docling_core.types.doc.DoclingDocument.load_from_yaml() passing it untrusted YAML data.
The vulnerability has been patched in docling-core version 2.48.4.
The fix mitigates the issue by switching PyYAML deserialization from yaml.FullLoader to yaml.SafeLoader, ensuring that untrusted data cannot trigger code execution.
Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater, which supposedly patches CVE-2020-14343.