Description
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.
Published: 2026-05-14
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Gotenberg's URL conversion route uses Chromium to fetch external content. The FilterOutboundURL step resolves the hostname but then discards the resolved addresses. Chromium performs its own DNS lookup when navigating to the URL, and a malicious attacker can return a public IP on the first lookup and a private IP on the second. Because the CDP Fetch.requestPaused handler only rechecks the URL but performs a new DNS resolution, there's a timing gap that allows the Chromium process to connect to an attacker‑controlled internal address and fetch internal content. The internal response is returned as a PDF to the requester. This demonstrates a server‑side request forgery that bypasses the intended outbound URL filter. The weakness aligns with CWE‑918 (SSRF) and CWE‑367 (DNS rebinding).

Affected Systems

The affected product is Gotenberg (the Docker‑based PDF generation service). All versions earlier than 8.32.0 are vulnerable. No specific sub‑versions are listed; the remedy is to upgrade to 8.32.0 or later, where the FilterOutboundURL validation has been corrected to use the resolved IPs retained from the initial DNS lookup.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. Exploitation requires controlling the DNS records for a domain with a short TTL and causing the service to perform two separate lookups, which is generally feasible for an attacker with DNS hosting privileges. Although the EPSS score is not available and the vulnerability is not in CISA's KEV catalog, the presence of a small timing window makes the attack more likely only when the attacker can reliably manipulate the resolution order. Because the product is stateless, the vulnerability does not cause a denial of service, but it enables internal network reconnaissance and potential data exposure.

Generated by OpenCVE AI on May 14, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gotenberg to version 8.32.0 or newer to apply the patched outbound URL validation.
  • If immediate upgrading is not possible, block outbound connections from the Gotenberg container to private IP ranges using network policies or firewall rules.
  • Disable or restrict Chromium‑based URL conversion routes until a patch can be deployed, or enforce DNS rebinding protection by rejecting short‑TTL records.
  • Monitor DNS queries for suspicious patterns that could indicate rebinding attempts.

Generated by OpenCVE AI on May 14, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2pmr-289p-44r3 Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
History

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Gotenberg
Gotenberg gotenberg
Vendors & Products Gotenberg
Gotenberg gotenberg

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF. This vulnerability is fixed in 8.32.0.
Title Gotenberg: DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
Weaknesses CWE-367
CWE-918
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gotenberg Gotenberg
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:14:45.866Z

Reserved: 2026-04-29T00:31:15.724Z

Link: CVE-2026-42592

cve-icon Vulnrichment

Updated: 2026-05-14T18:12:00.662Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-14T16:16:22.307

Modified: 2026-05-14T19:16:36.233

Link: CVE-2026-42592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:15:16Z

Weaknesses