Fluid Attacks Database

Description

Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)

Impact

The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.

The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.

The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.

This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).

Steps to Reproduce

Start Gotenberg with default settings:

docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg

Read /etc/passwd via the URL endpoint using an uppercase scheme:

curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
  --form 'url=FILE:///etc/passwd' -o output.pdf

Open output.pdf — it contains the contents of /etc/passwd.

Alternatively, create an index.html:

<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>

Then convert it:

curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
  -F '[email protected]' -o output.pdf

The resulting PDF contains /etc/passwd contents.

Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.

Root Cause

pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*

pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive

pkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-list

Chromium normalizes URL schemes to lowercase, so FILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passed

Suggested Fix

Change the default deny-list regex to use a case-insensitive flag:

(?i)^file:(?!//\/tmp/).*

Or apply case-insensitive matching in FilterDeadline when compiling the regex.

Severity

This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/gotenberg/gotenberg/v8	>=0 <8.29.0	8.29.0
go	github.com/gotenberg/gotenberg/v7	>=0 <=7.10.2	-

Aliases

1. CVE-2026-270182. NVD-2026-270183. OSV-2026-270184. GHSA-jjwv-57xh-xr6r5. GHSA-rh2x-ccvw-q7r36. GCVE-2026-27018

References

1. https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r2. https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rh2x-ccvw-q7r33. https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a114. https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff55. https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.