{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cwe-78/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gotenberg 8.29.1"],"_cs_severities":["critical"],"_cs_tags":["gotenberg","rce","exiftool","newline-injection","cwe-78"],"_cs_type":"advisory","_cs_vendors":["Gotenberg"],"content_html":"\u003cp\u003eGotenberg version 8.29.1, a popular Docker-based solution for converting documents to PDF, is vulnerable to unauthenticated remote code execution (RCE). The vulnerability resides in the \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint, which handles writing metadata to PDF files. Due to insufficient validation of JSON metadata keys, an attacker can inject newline characters (\u003ccode\u003e\\n\u003c/code\u003e) to manipulate ExifTool arguments. This allows the attacker to inject the \u003ccode\u003e-if\u003c/code\u003e flag to execute arbitrary Perl code, leading to OS command execution. This vulnerability was discovered on 2026-04-04 and affects deployments where Gotenberg\u0026rsquo;s port 3000 is exposed without authentication. Exploitation is straightforward, requiring a single HTTP POST request with a crafted JSON payload, and the server returns a 200 OK status with a valid PDF, obscuring the attack.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e with a PDF file and a \u003ccode\u003emetadata\u003c/code\u003e JSON object.\u003c/li\u003e\n\u003cli\u003eThe JSON object contains a key with embedded newline characters (\u003ccode\u003e\\n\u003c/code\u003e).  For example: \u003ccode\u003e\u0026quot;Title\\\\n-if\\\\nsystem('id')||1\\\\n-Comment\u0026quot;: \u0026quot;x\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s backend deserializes the JSON object. The \u003ccode\u003e\\n\u003c/code\u003e character is preserved.\u003c/li\u003e\n\u003cli\u003eThe crafted key is passed to the go-exiftool library.\u003c/li\u003e\n\u003cli\u003ego-exiftool writes the key verbatim to ExifTool\u0026rsquo;s stdin, splitting it into separate arguments: \u003ccode\u003e-Title\u003c/code\u003e, \u003ccode\u003e-if\u003c/code\u003e, \u003ccode\u003esystem('id')||1\u003c/code\u003e, \u003ccode\u003e-Comment=x\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eExifTool executes the \u003ccode\u003esystem('id')\u003c/code\u003e command due to the \u003ccode\u003e-if\u003c/code\u003e flag, which evaluates Perl expressions.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the command output via out-of-band techniques, such as an HTTP callback.\u003c/li\u003e\n\u003cli\u003eThe server responds with HTTP 200 and a valid PDF file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary commands as the Gotenberg process user, which is \u003ccode\u003egotenberg\u003c/code\u003e (UID 1001) and a member of the \u003ccode\u003eroot\u003c/code\u003e group in the default Docker image. This enables the attacker to read and write files, establish reverse shells, or pivot to other systems in the network. Because the vulnerability requires no authentication and provides no error signal, any Gotenberg instance exposed to an untrusted network is at risk of complete compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input validation within Gotenberg to reject metadata keys containing control characters such as \u003ccode\u003e\\n\u003c/code\u003e, \u003ccode\u003e\\r\u003c/code\u003e, and \u003ccode\u003e\\x00\u003c/code\u003e. Reference the code example in the advisory (strings.ContainsAny).\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts by identifying requests with newline characters in the metadata parameter.\u003c/li\u003e\n\u003cli\u003ePlace Gotenberg behind an authenticated reverse proxy to prevent direct access from untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for POST requests to the \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint, as this is the entry point for the attack. Enable webserver logging to capture request parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T16:25:00Z","date_published":"2024-01-03T16:25:00Z","id":"/briefs/2024-01-gotenberg-rce/","summary":"Gotenberg version 8.29.1 is vulnerable to unauthenticated remote code execution (RCE) due to newline injection in metadata keys passed to ExifTool, allowing arbitrary command execution via the `-if` flag.","title":"Gotenberg Unauthenticated RCE via ExifTool Metadata Key Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-gotenberg-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cwe-78","version":"https://jsonfeed.org/version/1.1"}