{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/metadata/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gotenberg (\u003c= 8.29.1)"],"_cs_severities":["high"],"_cs_tags":["gotenberg","exiftool","metadata","file-manipulation"],"_cs_type":"advisory","_cs_vendors":["Gotenberg"],"content_html":"\u003cp\u003eGotenberg, a Docker-powered document conversion API, is vulnerable to a bypass in its ExifTool metadata write blocklist. This vulnerability, affecting Gotenberg v8 (\u0026lt;= 8.29.1), allows unauthenticated attackers to manipulate file system operations within the Gotenberg container. The vulnerability leverages ExifTool\u0026rsquo;s group-prefix syntax to circumvent the intended restrictions on pseudo-tags like \u003ccode\u003eFileName\u003c/code\u003e, \u003ccode\u003eDirectory\u003c/code\u003e, \u003ccode\u003eHardLink\u003c/code\u003e, and \u003ccode\u003eSymLink\u003c/code\u003e. This bypass is particularly critical as it directly negates the fix implemented for GHSA-qmwh-9m9c-h36m. The pre-auth nature of this vulnerability significantly broadens the attack surface, allowing malicious actors to potentially gain unauthorized access and control over file system resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003emetadata\u003c/code\u003e field containing a JSON object with malicious ExifTool tags.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the group-prefix syntax (e.g., \u003ccode\u003eFile:FileName\u003c/code\u003e) to bypass the tag blocklist in \u003ccode\u003epkg/modules/exiftool/exiftool.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esafeKeyPattern\u003c/code\u003e regex (\u003ccode\u003e^[a-zA-Z0-9\\-_.:]+$\u003c/code\u003e) allows colons, so prefixed tag names pass validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSetNewValue\u003c/code\u003e function in ExifTool\u0026rsquo;s \u003ccode\u003eWriter.pl\u003c/code\u003e strips the prefix, allowing the malicious tag to be processed.\u003c/li\u003e\n\u003cli\u003eExifTool executes the file system operation specified by the malicious tag (e.g., renaming, moving, creating symlinks).\u003c/li\u003e\n\u003cli\u003eIf the Gotenberg deployment uses mounted volumes or is non-containerized, the attacker can perform actions outside the container.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file read via symlink chaining and file overwrite via directory manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows pre-authenticated attackers to rename, move, or create links to files within the Gotenberg container. In deployments with mounted volumes or non-containerized setups, this can lead to arbitrary file read and overwrite via symlink chaining and directory manipulation. The vulnerability impacts Gotenberg v8 (\u0026lt;= 8.29.1) and can potentially compromise the confidentiality and integrity of data processed by the service. This is a direct bypass of a previous security fix, increasing the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Gotenberg to a version greater than 8.29.1 to remediate CVE-2026-42590.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the \u003ccode\u003emetadata\u003c/code\u003e field of the \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e endpoint to prevent exploitation of the ExifTool group-prefix bypass.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Gotenberg ExifTool Metadata Write - File Rename\u003c/code\u003e to detect attempts to rename files using the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/forms/pdfengines/metadata/write\u003c/code\u003e with \u003ccode\u003emetadata\u003c/code\u003e containing \u0026ldquo;File:FileName\u0026rdquo;, \u0026ldquo;File:Directory\u0026rdquo;, \u0026ldquo;File:HardLink\u0026rdquo;, or \u0026ldquo;File:SymLink\u0026rdquo; to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T00:55:44Z","date_published":"2026-05-07T00:55:44Z","id":"/briefs/2026-05-gotenberg-exiftool-bypass/","summary":"The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server.","title":"Gotenberg ExifTool Metadata Write Blocklist Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-gotenberg-exiftool-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Metadata","version":"https://jsonfeed.org/version/1.1"}