Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-jjwv-57xh-xr6r

Опубликовано: 30 мар. 2026
Источник: github
Github: Прошло ревью
CVSS4: 7.8

Описание

Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)

Impact

The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.

The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.

The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.

This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).

Steps to Reproduce

  1. Start Gotenberg with default settings:
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg
  1. Read /etc/passwd via the URL endpoint using an uppercase scheme:
curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \ --form 'url=FILE:///etc/passwd' -o output.pdf

  1. Open output.pdf — it contains the contents of /etc/passwd.

  2. Alternatively, create an index.html:

<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>

Then convert it:

curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \ -F 'files=@index.html' -o output.pdf
  1. The resulting PDF contains /etc/passwd contents.

Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.

Root Cause

  • pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*
  • pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive
  • pkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-list
  • Chromium normalizes URL schemes to lowercase, so FILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passed

Suggested Fix

Change the default deny-list regex to use a case-insensitive flag:

(?i)^file:(?!//\/tmp/).*

Or apply case-insensitive matching in FilterDeadline when compiling the regex.

Severity

This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.

Ссылки

Пакеты

Наименование

github.com/gotenberg/gotenberg/v8

go
Затронутые версииВерсия исправления

< 8.29.0

8.29.0

EPSS

Процентиль: 4%
0.00016
Низкий

7.8 High

CVSS4

CVE ID

CVE-2026-27018

Дефекты

CWE-22
CWE-918

EPSS

Процентиль: 4%
0.00016
Низкий

7.8 High

CVSS4

CVE ID

CVE-2026-27018

Дефекты

CWE-22
CWE-918