{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cloud-metadata/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Gotenberg/v8 (\u003c 8.32.0)"],"_cs_severities":["high"],"_cs_tags":["ssrf","gotenberg","cve-2026-42595","cloud-metadata"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA server-side request forgery (SSRF) vulnerability exists in Gotenberg, an open-source PDF conversion tool. Specifically, the Chromium URL-to-PDF conversion endpoint (\u003ccode\u003e/forms/chromium/convert/url\u003c/code\u003e) lacks default protection against HTTP/HTTPS-based SSRF, while the default deny-list only blocks \u003ccode\u003efile://\u003c/code\u003e URIs. This allows unauthenticated attackers to target internal IPs, RFC 1918 ranges, and cloud metadata endpoints, receiving the response rendered as a PDF. Furthermore, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. The Gotenberg instance follows \u003ccode\u003e302\u003c/code\u003e redirects from attacker-controlled external URLs to internal targets without re-validating the redirect destination against the deny-list. Version 8.30.1 of Gotenberg is confirmed to be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Gotenberg instance accessible over the network, which requires no authentication by default.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/forms/chromium/convert/url\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a \u003ccode\u003eurl\u003c/code\u003e parameter pointing to an internal resource (e.g., \u003ccode\u003ehttp://127.0.0.1:3000/health\u003c/code\u003e or \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAlternatively, the POST request includes a \u003ccode\u003eurl\u003c/code\u003e parameter pointing to an external redirect server (e.g., \u003ccode\u003ehttp://172.17.0.1:9999/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf using a redirect, the external server responds with a \u003ccode\u003e302\u003c/code\u003e redirect to an internal target (e.g., \u003ccode\u003ehttp://127.0.0.1:3000/health\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Gotenberg server, using a headless Chromium instance, fetches the URL (or follows the redirect) without proper validation.\u003c/li\u003e\n\u003cli\u003eThe response from the internal resource is rendered as a PDF document.\u003c/li\u003e\n\u003cli\u003eThe PDF document containing the sensitive information is returned to the attacker. The attacker exfiltrates the data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to make the Gotenberg server fetch arbitrary internal resources and receive the rendered content as a PDF. This can lead to cloud credential theft by accessing cloud metadata endpoints, internal service access by reaching admin panels or databases, and internal port scanning. The redirect bypass further exacerbates the risk, rendering custom deny-lists ineffective. This vulnerability affects Gotenberg deployments that have broad internal network access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gotenberg SSRF via Chromium URL Endpoint\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for HTTP POST requests to the \u003ccode\u003e/forms/chromium/convert/url\u003c/code\u003e endpoint with potentially malicious URLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gotenberg SSRF Redirect Bypass\u003c/code\u003e to detect connections to external redirect servers that may be used to bypass SSRF protections.\u003c/li\u003e\n\u003cli\u003eUpgrade Gotenberg to version 8.32.0 or later to patch CVE-2026-42595.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the Gotenberg instance\u0026rsquo;s access to internal resources, mitigating the impact of a successful SSRF attack.\u003c/li\u003e\n\u003cli\u003eConfigure a custom deny-list on the Chromium URL endpoint to explicitly block access to internal IPs, RFC 1918 ranges, and cloud metadata endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T13:51:35Z","date_published":"2026-05-11T13:51:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-ssrf/","summary":"Gotenberg's Chromium URL-to-PDF conversion endpoint is vulnerable to SSRF due to a lack of default protection against HTTP/HTTPS-based requests, allowing attackers to target internal IPs and cloud metadata endpoints, which can be bypassed via HTTP redirects.","title":"Gotenberg SSRF via Chromium URL Endpoint with Redirect Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloud-Metadata","version":"https://jsonfeed.org/version/1.1"}