https://feed.craftedsignal.io/vendors/gotenberg/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 17:24:55 +0000https://feed.craftedsignal.io/briefs/2026-05-gotenberg-ssrf/Thu, 30 Apr 2026 17:24:55 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-gotenberg-ssrf/Gotenberg version 8.29.1 is vulnerable to Server-Side Request Forgery (SSRF) due to an unfiltered webhook URL, allowing unauthenticated attackers to force outbound HTTP POST requests to arbitrary destinations, enabling internal network probing and interaction with internal services.Gotenberg version 8.29.1, as distributed in the default gotenberg/gotenberg:8 Docker image, contains an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. Discovered on April 4, 2026, this flaw allows an attacker with network access to the Gotenberg instance to specify an arbitrary URL via the Gotenberg-Webhook-Url request header, forcing the server to make outbound HTTP POST requests. This is a blind SSRF vulnerability, where the attacker cannot directly read the response body, but can infer information based on the success or failure of the request. The vulnerability exists due to an insecure default in the FilterDeadline function, which, when unconfigured, permits all webhook URLs. The impact includes internal network probing, forced POST requests to internal services, and cloud metadata interaction.

Attack Chain

1. The attacker identifies a vulnerable Gotenberg instance exposed on the network (default port 3000).
2. The attacker crafts an HTTP POST request to the /forms/chromium/convert/url endpoint.
3. The attacker includes the Gotenberg-Webhook-Url header, setting it to an internal IP address and port (e.g., http://192.168.1.10:8080/).
4. The attacker may also set the Gotenberg-Webhook-Error-Url to an attacker-controlled server to monitor for request failures.
5. Gotenberg’s FilterDeadline function fails to properly validate the supplied webhook URL due to an insecure default.
6. Gotenberg makes an outbound HTTP POST request to the specified internal IP address and port using the retryablehttp client, potentially retrying the request up to 4 times.
7. If the internal target responds with a 2xx status code, the attacker infers that the host and port are open and accepting POST requests. The error URL is NOT called.
8. If the internal target responds with a 4xx/5xx status code, times out, or rejects the connection, the attacker receives a request at the Gotenberg-Webhook-Error-Url endpoint, indicating the port is likely closed or the service is unavailable.

Impact

The SSRF vulnerability in Gotenberg 8.29.1 allows attackers to probe internal networks, potentially mapping out internal infrastructure by observing the success or failure of requests. Attackers can also force Gotenberg to send POST requests to internal services that perform actions upon receiving such requests, potentially triggering unintended behavior. Although the attacker cannot directly read response bodies, the ability to determine reachability and trigger actions makes this a significant security risk. The retry mechanism amplifies the probing effect, as each request generates up to 4 attempts.

Recommendation

• Apply the recommended configuration to either set --env GOTENBERG_API_WEBHOOK_ALLOW_LIST or --env GOTENBERG_API_WEBHOOK_DENY_LIST to restrict or block internal ranges to mitigate the SSRF vulnerability.
• Monitor web server logs for POST requests to /forms/chromium/convert/url with the Gotenberg-Webhook-Url header containing suspicious internal IP addresses or domains using the provided Sigma rule.
• Deploy the Sigma rule to detect suspicious outbound network connections originating from the Gotenberg process to internal IP ranges or cloud metadata endpoints.

]]>highadvisoryssrfgotenbergcve-2026-39383https://feed.craftedsignal.io/briefs/2024-01-02-gotenberg-exiftool-injection/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-gotenberg-exiftool-injection/Gotenberg version 8.30.1 and earlier is vulnerable to argument injection, where an unauthenticated attacker can inject arbitrary ExifTool pseudo-tags via newline characters in metadata values, leading to arbitrary file manipulation within the container filesystem.Gotenberg, a Docker-based solution for converting various document formats to PDF, is vulnerable to an argument injection flaw affecting versions 8.30.1 and earlier. This vulnerability stems from insufficient sanitization of metadata values passed to the ExifTool during PDF processing. Specifically, the application fails to properly sanitize newline characters within metadata values. By exploiting this flaw, an unauthenticated attacker can inject arbitrary ExifTool pseudo-tags, such as -FileName, -Directory, -SymLink, and -HardLink, allowing for unauthorized file manipulation, including renaming, moving, overwriting, and creating symbolic or hard links to files within the container’s filesystem. The vulnerability is a bypass of an incomplete key sanitization fix introduced in version 8.30.1, highlighting the importance of thorough input validation.

Attack Chain

1. An attacker crafts a malicious PDF file or uses an existing PDF.
2. The attacker injects a newline character followed by an ExifTool pseudo-tag (e.g., -FileName=/tmp/inject_proof) into a metadata value (e.g., the ‘Title’ field).
3. The attacker sends the PDF, along with the crafted metadata, to the Gotenberg /forms/pdfengines/metadata/write endpoint via a POST request.
4. Gotenberg’s WriteMetadata function in pkg/modules/exiftool/exiftool.go processes the metadata.
5. The unsanitized metadata value is passed to go-exiftool’s SetString function.
6. go-exiftool writes the key-value pair to ExifTool’s stdin using fmt.Fprintln(e.stdin, "-"+k+"="+str).
7. The newline character splits the ExifTool stdin line into two separate arguments, injecting the attacker’s pseudo-tag.
8. ExifTool executes the injected command (e.g., moving the PDF to /tmp/inject_proof).

Impact

Successful exploitation allows an unauthenticated attacker to rename or move any PDF being processed to an arbitrary path within the container filesystem, which runs as root by default. This also enables overwriting arbitrary files (e.g., corrupting the /etc/passwd file), creating symlinks, and creating hard links. The container filesystem becomes fully exposed to arbitrary file manipulation.

Recommendation

• Apply value sanitization parallel to the existing key check in WriteMetadata as described in the advisory.
• Implement detection rules to identify attempts to exploit the vulnerability by monitoring for suspicious characters in HTTP requests to the /forms/pdfengines/metadata/write endpoint using the provided Sigma rule.
• Monitor for unexpected file modifications within the Gotenberg container, especially the creation or modification of symbolic links and hard links, using file_event log source.
• Upgrade to a patched version of Gotenberg that addresses this vulnerability to prevent exploitation (CVE-2026-40281).

]]>criticaladvisoryargument-injectionvulnerabilitycontainer