Gotenberg

Gotenberg's `IsPublicIP` function incorrectly classifies IPv6 6to4, NAT64, and deprecated site-local addresses as public IPs, enabling an unauthenticated attacker to reach internal destinations such as cloud metadata services.

Gotenberg is vulnerable to Server-Side Request Forgery (SSRF) due to bypassable default deny-lists in the `downloadFrom` and `webhook` features, where case-sensitive regex matching allows attackers to use IPv6 loopback URLs to bypass the deny-list and access internal HTTP services.

Gotenberg is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient hardening in the LibreOffice conversion endpoint, allowing attackers to make outbound HTTP requests by embedding external URLs in uploaded documents, bypassing Gotenberg's SSRF filters, affecting versions up to 8.31.0, and potentially enabling access to internal services, data exfiltration, or port scanning.

The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server.

Gotenberg versions before 8.29.0 are vulnerable to unauthenticated arbitrary file read, where a case-insensitive URL scheme bypasses the Chromium deny-list, allowing attackers to read sensitive files such as /etc/passwd by using mixed-case or uppercase URL schemes like FILE:///etc/passwd, leading to the leakage of sensitive data from the Gotenberg container and bypassing the fix for CVE-2024-21527.

Gotenberg version 8.29.1 is vulnerable to unauthenticated remote code execution (RCE) due to newline injection in metadata keys passed to ExifTool, allowing arbitrary command execution via the `-if` flag.

Gotenberg versions 8.31.0 and earlier are vulnerable to an unauthenticated denial-of-service attack where a race condition in the webhook middleware causes a panic and process termination when handling concurrent requests.