Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2026-42594
Summary
Gotenberg is a Docker-powered stateless API for PDF files. Prior to version 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's 'echo.Context' after the synchronous handler returns 'ErrAsyncProcess' and Echo recycles the context back to its 'sync.Pool'. When a concurrent request claims the recycled context, 'c.Reset()' clears the store. If the webhook goroutine reaches 'hardTimeoutMiddleware' at that moment, an unchecked type assertion on a nil store entry panics outside any 'recover()' scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of approximately 24 webhook requests plus approximately 60 'GET /version' requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-362 - Race Condition
A race condition occurs in a shared memory program when two threads/processes access the same shared memory data, and at least one thread executes a write operation. This vulnerability manipulates the time to check vs. time to use (TOC/TOU) gap between the threads in the critical section to cause disorientation in the shared data. The impact can vary from compromising the confidentiality of the system to causing the system to crash or to execute arbitrary code.
References
Advisory Timeline
- Published
