Gotenberg Unauthenticated Denial-of-Service Vulnerability via Webhook Middleware

A denial-of-service vulnerability has been identified in Gotenberg, a Docker-based API for PDF processing, affecting versions through 8.31.0. The issue arises in the webhook middleware, where an asynchronous goroutine retains a reference to the request's echo.Context. This occurs after the synchronous handler returns an indication for asynchronous processing, allowing Echo to recycle the context. When a concurrent request retrieves the recycled context, it clears the associated data store. If the webhook goroutine then encounters a timeout middleware, an unchecked type assertion on a nil store entry causes a panic, crashing the Gotenberg process. This vulnerability can be exploited by any anonymous caller who can access the Gotenberg API, leading to process crashes and disrupted PDF conversions.

Impact

Exploitation of this vulnerability causes the Gotenberg process to crash, disrupting all in-progress PDF conversions and pending webhook deliveries. While Gotenberg can automatically restart, each crash temporarily halts service, causing significant unavailability. Sustained exploitation keeps the service in a restart loop, continuously dropping active conversions and webhook deliveries.

Reproduction

The vulnerability can be reproduced by sending approximately 24 concurrent webhook requests while simultaneously sending about 60 'GET /version' requests. This can be automated with a stress script that manages the timing and concurrency of the requests, simulating an attack that exploits the webhook middleware's handling of recycled context.

Remediation

Users can upgrade to Gotenberg version 8.32.0 or later, where this vulnerability has been fixed.