Description
Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Published: 2026-04-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Regex Exhaustion
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a regular expression denial of service (ReDoS) that occurs when Gotenberg compiles user-supplied scope patterns without a timeout. Attackers can provide specially crafted patterns that cause the regex engine to enter exponential backtracking, causing worker processes to hang indefinitely. This results in denial of service to all clients of the API, consuming CPU and possibly memory resources. The weakness is reflected in CWE-1333, a regex‑based denial of service.

Affected Systems

The issue exists in Gotenberg version 8.29.1 and earlier. Gotenberg is an open‑source API used for document format conversion, and the affected component is the dlclark/regexp2 library used to parse scope patterns for features such as extraHttpHeaders. The vendor product is Gotenberg by thecodingmachine.

Risk and Exploitability

The CVSS base score of 8.7 marks the bug as high severity. According to the EPSS data, the probability of exploitation is currently below 1%, and the vulnerability is not listed in the CISA KEV catalog. However, the likely attack vector is remote, exploiting the HTTP API that accepts scope patterns. The attacker would need valid access to the API endpoint and supply a malicious regex; the lack of a timeout allows the worker to be hung until manually restarted.

Generated by OpenCVE AI on April 14, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.30.0 or later, which removes the vulnerable regex usage.
  • If an immediate upgrade is not possible, disable any API endpoints that allow user‑defined scope patterns until a patch is applied.
  • Monitor worker process health and restart the service when a hang is detected.
  • Apply input validation or rate limiting to restrict complex regex payloads sent to the API.

Generated by OpenCVE AI on April 14, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fmwg-qcqh-m992 Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
History

Tue, 14 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Thecodingmachine
Thecodingmachine gotenberg
CPEs cpe:2.3:a:thecodingmachine:gotenberg:*:*:*:*:*:*:*:*
Vendors & Products Thecodingmachine
Thecodingmachine gotenberg

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Title Gotenberg has a ReDoS via extraHttpHeaders scope feature
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gotenberg Gotenberg
Thecodingmachine Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T14:20:52.933Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35458

cve-icon Vulnrichment

Updated: 2026-04-09T14:20:43.107Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:43.733

Modified: 2026-04-14T20:27:23.103

Link: CVE-2026-35458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses