Gotenberg Unauthenticated Remote Code Execution Vulnerability via ExifTool Metadata Key Injection

A remote code execution vulnerability has been identified in Gotenberg versions prior to 8.31.0. The issue arises in the '/forms/pdfengines/metadata/write' HTTP endpoint, where JSON metadata keys are passed directly to ExifTool without proper validation. An attacker can inject arbitrary ExifTool flags by embedding a newline character in the JSON key, splitting the ExifTool stdin stream and allowing execution of malicious commands. This vulnerability is particularly concerning as it can be exploited in a single HTTP request, with the response appearing normal, thus evading basic monitoring.

Impact

Exploitation of this vulnerability allows for full unauthenticated remote code execution on the server, executed as the Gotenberg process user, who has root privileges in the default Docker image. This could lead to unauthorized access to sensitive files, execution of arbitrary commands, and potential lateral movement within the network.

Reproduction

To reproduce this vulnerability, send a POST request to the '/forms/pdfengines/metadata/write' endpoint with a JSON metadata object that includes a key with an embedded newline. Gotenberg will process the request, and the injected ExifTool flags will be executed, resulting in command execution on the server.

Remediation

Users are advised to update Gotenberg to version 8.31.0 or later. Additionally, Gotenberg should be placed behind an authenticated reverse proxy and not exposed directly to untrusted networks.