Asymmetric denial of service - ReDoS In github.com/gotenberg/gotenberg/v8
Description
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Summary
Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Details
Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = "forever".
For example, any user with access to the endpoint /forms/chromium/screenshot/url can add a crafted scope pattern to the extraHttpHeaders form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.
See the dlclark/regexp2 README.md for further considerations.
Tested on the latest container version gotenberg/gotenberg:8.29.1
PoC
The following Python script uses the /forms/chromium/screenshot/url endpoint, testing for differences in responses times between simple and malicious regexes.
#!/usr/bin/env -S uv run --script # /// import json import time import requests HOST = "localhost:3000" # HOST = "gotenberg.local:3000"...
Impact
This is a ReDoS vulnerability which only impacts the availability of the service and/or server on which gotenberg is running. All instances where attackers can reach the /forms/chromium/screenshot/url endpoint specifing the extraHttpHeaders field are affected.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 8.30.0 |
Aliases
References