{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/gotenberg/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gotenberg (8.29.1)"],"_cs_severities":["high"],"_cs_tags":["ssrf","gotenberg","cve-2026-39383"],"_cs_type":"advisory","_cs_vendors":["gotenberg"],"content_html":"\u003cp\u003eGotenberg version 8.29.1, as distributed in the default \u003ccode\u003egotenberg/gotenberg:8\u003c/code\u003e Docker image, contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. Discovered on April 4, 2026, this flaw allows an attacker with network access to the Gotenberg instance to specify an arbitrary URL via the \u003ccode\u003eGotenberg-Webhook-Url\u003c/code\u003e request header, forcing the server to make outbound HTTP POST requests. This is a blind SSRF vulnerability, where the attacker cannot directly read the response body, but can infer information based on the success or failure of the request. The vulnerability exists due to an insecure default in the \u003ccode\u003eFilterDeadline\u003c/code\u003e function, which, when unconfigured, permits all webhook URLs. The impact includes internal network probing, forced POST requests to internal services, and cloud metadata interaction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Gotenberg instance exposed on the network (default port 3000).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/forms/chromium/convert/url\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the \u003ccode\u003eGotenberg-Webhook-Url\u003c/code\u003e header, setting it to an internal IP address and port (e.g., \u003ccode\u003ehttp://192.168.1.10:8080/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker may also set the \u003ccode\u003eGotenberg-Webhook-Error-Url\u003c/code\u003e to an attacker-controlled server to monitor for request failures.\u003c/li\u003e\n\u003cli\u003eGotenberg\u0026rsquo;s \u003ccode\u003eFilterDeadline\u003c/code\u003e function fails to properly validate the supplied webhook URL due to an insecure default.\u003c/li\u003e\n\u003cli\u003eGotenberg makes an outbound HTTP POST request to the specified internal IP address and port using the retryablehttp client, potentially retrying the request up to 4 times.\u003c/li\u003e\n\u003cli\u003eIf the internal target responds with a 2xx status code, the attacker infers that the host and port are open and accepting POST requests. The error URL is NOT called.\u003c/li\u003e\n\u003cli\u003eIf the internal target responds with a 4xx/5xx status code, times out, or rejects the connection, the attacker receives a request at the \u003ccode\u003eGotenberg-Webhook-Error-Url\u003c/code\u003e endpoint, indicating the port is likely closed or the service is unavailable.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe SSRF vulnerability in Gotenberg 8.29.1 allows attackers to probe internal networks, potentially mapping out internal infrastructure by observing the success or failure of requests. Attackers can also force Gotenberg to send POST requests to internal services that perform actions upon receiving such requests, potentially triggering unintended behavior. Although the attacker cannot directly read response bodies, the ability to determine reachability and trigger actions makes this a significant security risk. The retry mechanism amplifies the probing effect, as each request generates up to 4 attempts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended configuration to either set \u003ccode\u003e--env GOTENBERG_API_WEBHOOK_ALLOW_LIST\u003c/code\u003e or \u003ccode\u003e--env GOTENBERG_API_WEBHOOK_DENY_LIST\u003c/code\u003e to restrict or block internal ranges to mitigate the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/forms/chromium/convert/url\u003c/code\u003e with the \u003ccode\u003eGotenberg-Webhook-Url\u003c/code\u003e header containing suspicious internal IP addresses or domains using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious outbound network connections originating from the Gotenberg process to internal IP ranges or cloud metadata endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T17:24:55Z","date_published":"2026-04-30T17:24:55Z","id":"/briefs/2026-05-gotenberg-ssrf/","summary":"Gotenberg version 8.29.1 is vulnerable to Server-Side Request Forgery (SSRF) due to an unfiltered webhook URL, allowing unauthenticated attackers to force outbound HTTP POST requests to arbitrary destinations, enabling internal network probing and interaction with internal services.","title":"Gotenberg Unauthenticated SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-ssrf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["gotenberg","file-read","vulnerability","chromium"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGotenberg, a popular Docker-based solution for converting HTML, Markdown, and Office documents to PDF, is susceptible to a critical vulnerability in versions prior to 8.29.0. This flaw allows for unauthenticated arbitrary file read due to a bypass in the Chromium deny-list. The vulnerability stems from the application\u0026rsquo;s failure to enforce case-sensitivity when validating URL schemes against the deny-list, implemented to prevent access to sensitive files. An attacker can exploit this by using…\u003c/p\u003e\n","date_modified":"2026-03-30T16:16:57Z","date_published":"2026-03-30T16:16:57Z","id":"/briefs/2026-04-gotenberg-file-read-bypass/","summary":"Gotenberg versions before 8.29.0 are vulnerable to unauthenticated arbitrary file read, where a case-insensitive URL scheme bypasses the Chromium deny-list, allowing attackers to read sensitive files such as /etc/passwd by using mixed-case or uppercase URL schemes like FILE:///etc/passwd, leading to the leakage of sensitive data from the Gotenberg container and bypassing the fix for CVE-2024-21527.","title":"Gotenberg Chromium Deny-List Bypass via Case-Insensitive URL Scheme","url":"https://feed.craftedsignal.io/briefs/2026-04-gotenberg-file-read-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Gotenberg","version":"https://jsonfeed.org/version/1.1"}