Gotenberg Unauthenticated Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in Gotenberg version 8.29.1. An unauthenticated attacker with network access can exploit this vulnerability by sending a crafted URL in the Gotenberg-Webhook-Url request header. The vulnerability arises because the FilterDeadline function, responsible for validating outbound URLs, fails to enforce restrictions when both the allow-list and deny-list are empty, which is the default configuration. As a result, any URL is permitted, allowing attackers to manipulate outbound POST requests to arbitrary internal or external destinations. The vulnerability is blind SSRF, meaning that while Gotenberg sends the converted document to the specified webhook URL, it only checks for error status codes and does not relay the response body back to the attacker. This exploitation can be used to probe internal network services, interact with cloud metadata endpoints, or force POST requests to internal services that perform actions based on the request.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where an attacker can make Gotenberg send POST requests to any internal or external URL. This can be used to probe internal services, confirm reachability of cloud metadata endpoints, or interact with internal services that respond to POST requests.

Reproduction

To reproduce this vulnerability, send a POST request to the Gotenberg conversion endpoint with a crafted URL in the Gotenberg-Webhook-Url header. If the request is successful and the error URL is not called, it indicates that the target internal service is reachable and accepting POST requests. This can be automated to probe internal infrastructure one request at a time.

Remediation

Users can upgrade to Gotenberg version 8.31.0 or later. Alternatively, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to specify allowed webhook URLs, or use the GOTENBERG_API_WEBHOOK_DENY_LIST variable to block internal RFC-1918 and link-local address ranges.