Gotenberg Webhook and Download Deny-List Bypass Vulnerability

A vulnerability in Gotenberg versions through 8.30.1 allows for a bypass of the default private-IP deny-lists used in the webhook and api-download-from features. The deny-lists employ a case-sensitive regular expression to match URL schemes, which can be circumvented by using uppercase or mixed-case variants. This exploitation enables unauthenticated requests to access internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints. The vulnerability arises because Go's net/url.Parse() normalizes the scheme to lowercase before establishing outbound TCP connections, thereby bypassing the intended restrictions. This issue has been fixed in Gotenberg version 8.31.0.

Impact

Exploitation of this vulnerability allows for unauthorized access to internal network services that the deny-list was meant to protect, including private IP ranges and cloud instance metadata services. This could lead to unauthorized access to sensitive information, such as environment variables and configuration files, including credentials.

Reproduction

To reproduce this vulnerability, start Gotenberg with the default settings. Then, send a POST request to the URL conversion endpoint with a URL that includes an uppercase scheme, such as 'HTTP://172.17.0.1:12345/'. The response will indicate that the request was successful, bypassing the deny-list. This vulnerability can also be reproduced by uploading an HTML file that includes a mixed-case URL scheme in an iframe, which Gotenberg will process and convert into a PDF, effectively exfiltrating the bypassed data.

Remediation

Users can update to Gotenberg version 8.31.0 or later, where this vulnerability has been fixed.