Gotenberg Server-Side Request Forgery Vulnerability in LibreOffice Conversion Endpoint

A server-side request forgery (SSRF) vulnerability exists in Gotenberg versions through 8.31.0, specifically in the LibreOffice conversion endpoint. This endpoint uploads documents directly to LibreOffice without prior content inspection. As a result, LibreOffice can independently fetch embedded external URLs, circumventing any SSRF filters. The vulnerability allows exfiltration of response data through the generated PDF, with potential access to internal services or cloud metadata. The issue is addressed in Gotenberg version 8.32.0.

Impact

Exploitation of this vulnerability allows LibreOffice to make outbound HTTP requests, bypassing SSRF protections and potentially exfiltrating data from the response. This could include accessing internal services or cloud metadata, such as AWS, GCP, or Azure IAM credentials.

Reproduction

To reproduce this vulnerability, upload a crafted DOCX file containing an external image reference to the LibreOffice conversion endpoint. The file should be structured to include a relationship pointing to an external URL, which LibreOffice will fetch during the conversion process. Monitor the canary server for incoming requests from LibreOffice, indicating that the external URL was accessed.

Remediation

Users can update to Gotenberg version 8.32.0 or later, where this vulnerability has been fixed.