Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m.
Details
The blocklist in pkg/modules/exiftool/exiftool.go filters four dangerous pseudo-tags (FileName, Directory, HardLink, SymLink) using strings.EqualFold(key, tag). However, ExifTool supports group-prefix syntax where File:FileName is processed identically to FileName -- the prefix is stripped by SetNewValue in Writer.pl before tag matching.
The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) allows colons, so prefixed tag names pass validation. Any prefix works: File:FileName, System:Directory, a:HardLink, etc.
Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags are not blocked at all and can modify file attributes without any prefix.
PoC
# Rename the converted PDF (bypasses FileName blocklist)
curl -F "files=@test.pdf" \
-F 'metadata={"File:FileName":"pwned.pdf"}' \
http://localhost:3000/forms/pdfengines/metadata/write
# Move the file to /tmp (bypasses Directory blocklist)
curl -F "files=@test.pdf" \
-F 'metadata={"File:Directory":"/tmp"}' \
http://localhost:3000/forms/pdfengines/metadata/write
# Create a symlink (bypasses SymLink blocklist)
curl -F "files=@test.pdf" \
-F 'metadata={"File:SymLink":"/tmp/symlink-poc"}' \
http://localhost:3000/forms/pdfengines/metadata/write
# Change file permissions (not blocked at all)
curl -F "files=@test.pdf" \
-F 'metadata={"FilePermissions":"rwxrwxrwx"}' \
http://localhost:3000/forms/pdfengines/metadata/writeImpact
Pre-auth (no authentication by default). Attacker can rename, move, or create links to files within the Gotenberg container. In deployments with mounted volumes or non-containerized setups, this enables arbitrary file read via symlink chaining and file overwrite via directory manipulation.
This is a direct bypass of the fix for GHSA-qmwh-9m9c-h36m.
AnalysisAI
Remote attackers can manipulate server filesystem operations in Gotenberg v8 by bypassing ExifTool metadata blocklist using group-prefix syntax (e.g., 'File:FileName' instead of 'FileName'). The vulnerability allows unauthenticated file renaming, moving, symlink/hardlink creation, and permission modification on the server. This directly bypasses the previous fix for GHSA-qmwh-9m9c-h36m. Public exploit code exists with working PoC commands. In non-containerized deployments or those with mounted volumes, attackers can achieve arbitrary file read via symlink chaining and file overwrites. CVSS 8.2 (High) with network vector, low complexity, and no authentication required.
Technical ContextAI
Gotenberg is a Go-based API for PDF generation and manipulation that integrates ExifTool for metadata operations. The vulnerability exploits CWE-184 (Incomplete List of Disallowed Inputs) in pkg/modules/exiftool/exiftool.go. The blocklist uses strings.EqualFold() to filter dangerous ExifTool pseudo-tags (FileName, Directory, HardLink, SymLink), but ExifTool's SetNewValue function in Writer.pl strips group prefixes before tag matching, so 'File:FileName' becomes 'FileName' after parsing. The safeKeyPattern regex (^[a-zA-Z0-9\-_.:]+$) permits colons, allowing prefixed variants to pass validation. Additionally, FilePermissions, FileUserID, and FileGroupID pseudo-tags lack any blocklist protection. The affected package is pkg:go/github.com_gotenberg_gotenberg_v8 with all versions through 8.29.1 vulnerable.
RemediationAI
No vendor-released patch identified at time of analysis - GitHub advisory shows 'fixed in: None' for versions through 8.29.1. Monitor https://github.com/gotenberg/gotenberg/security/advisories/GHSA-7v3r-m9c8-r855 for patch availability. Immediate compensating controls: (1) Disable ExifTool metadata write endpoints (/forms/pdfengines/metadata/write) via API gateway or reverse proxy rules if metadata modification is not business-critical - this completely eliminates the attack surface but breaks metadata editing functionality. (2) Implement strict network segmentation to prevent direct internet access to Gotenberg instances, requiring authentication at the application layer before requests reach Gotenberg - adds deployment complexity and latency. (3) Run Gotenberg in isolated containers without host volume mounts and use ephemeral storage only - limits impact to container scope but prevents persistent file storage use cases. (4) Deploy Web Application Firewall rules to block HTTP requests containing 'File:', 'System:', or other ExifTool group prefixes in metadata JSON payloads - can be bypassed with creative prefix variations and requires ongoing rule maintenance. Review previous fix attempt at https://github.com/advisories/GHSA-qmwh-9m9c-h36m to understand mitigation inadequacy.
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30316
GHSA-7v3r-m9c8-r855