Server-Side Request Forgery (SSRF)
CVE-2026-42595
Summary
Gotenberg is a Docker-powered stateless API for PDF files. Prior to version 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint '/forms/chromium/convert/url' has no default protection against HTTP/HTTPS-based Server-Side Request Forgery (SSRF). The default deny-list regex only blocks 'file://' URIs. An unauthenticated attacker can point Chromium at any internal IP including loopback, RFC 1918 ranges, and cloud metadata endpoints and receive the response rendered as a PDF. Additionally, even when operators configure a custom deny-list, the protection is bypassed via HTTP redirects. Gotenberg's Chromium instance follows 302 redirects from an attacker-controlled external URL to internal targets without re-validating the redirect destination against the deny-list. This vulnerability is fixed in 8.32.0.
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-918 - Server-Side Request Forgery (SSRF)
Server-side request forgery (SSRF) is a weakness that allows an attacker to send an arbitrary request, making it appear that the request was sent by the server. This request may bypass a firewall that would normally prevent direct access to the URL. The impact of this vulnerability can vary from unauthorized access to files and sensitive information to remote code execution.
References
Advisory Timeline
- Published
