Gotenberg’s Chromium URL‑to‑PDF endpoint (/forms/chromium/convert/url) allows an unauthenticated attacker to specify any HTTP or HTTPS target. The service renders the returned page as a PDF, effectively providing the attacker access to internal resources. Because the default deny‑list only blocks file:// URIs, internal IP addresses, loopback, RFC 1918 ranges, and cloud metadata endpoints are reachable. Even when a custom deny‑list is configured, the vulnerability is bypassed by following 302 redirects from an attacker‑controlled external URL to the target, as the redirect destination is not re‑validated. This results in a high‑severity SSRF that can expose sensitive internal data, enabling the attacker to download files, probe internal services, or generate PDFs containing internal content, thereby compromising confidentiality and integrity of internal systems.

All installations of Gotenberg prior to version 8.32.0, regardless of deployment method, including Docker containers using older image tags, are affected.

The vulnerability carries a CVSS score of 8.6, indicating a high severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog, implying lower known exploitation activity. However, the flaw is exploitable with minimal effort: an unauthenticated attacker can simply send a crafted request to the endpoint, and Gotenberg will fetch the target and return a PDF, bypassing any deny‑list rules via redirects. The likely attack vector is HTTP requests to the public WWW interface of the Gotenberg service. An attacker does not need authentication or privileged credentials; the vulnerability can be exploited from any network that can reach the service.