Gotenberg ExifTool Metadata Write Blocklist Bypass Vulnerability Allowing Arbitrary File Manipulation

A vulnerability in Gotenberg versions through 8.29.1 allows bypassing the ExifTool metadata write blocklist, enabling arbitrary file renaming, moving, and the creation of hardlinks and symlinks on the server. This exploitation takes advantage of ExifTool's group-prefix syntax, where prefixes are stripped before tag matching, allowing harmful pseudo-tags to be processed incorrectly. Additionally, certain file attribute modification tags are completely unblocked. This vulnerability was patched in Gotenberg version 8.30.0.

Impact

Exploitation of this vulnerability allows for unauthorized file manipulation within the Gotenberg container, including renaming, moving files, and creating links to files. In environments with mounted volumes or non-containerized setups, this could lead to arbitrary file reading through symlink chaining and file overwriting via directory manipulation.

Reproduction

To reproduce this vulnerability, upload a PDF file using the Gotenberg API and include metadata that exploits the group-prefix syntax to bypass the blocklist on dangerous pseudo-tags. For example, use 'File:FileName' to rename a file, 'File:Directory' to move a file, or 'File:SymLink' to create a symlink. Alternatively, modify file attributes using unblocked pseudo-tags like 'FilePermissions', 'FileUserID', or 'FileGroupID'.

Remediation

Users should update to Gotenberg version 8.30.0 or later.