CVE-2024-21527
published 2024-07-19CVE-2024-21527: Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package…
PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.57%
42.9th percentile
Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as . By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. Workaround An alternative is using either or both --chromium-deny-list and --chromium-allow-list flags.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v7 | 0 – 7.10.2 | — |
| github.com | gotenberg_gotenberg_v8 | >= 0 < 8.29.0 | 8.29.0 |
| github.com | gotenberg_gotenberg_v8 | >= 0 < 8.1.0 | 8.1.0 |
| gotenberg | gotenberg | < 8.29.0 | 8.29.0 |
| gotenberg | gotenberg | <= 8.30.1 | — |
| thecodingmachine | gotenberg | < 8.29.0 | 8.29.0 |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
ghsa8.2HIGH
osv8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
osv·2026-03-30·CVSS 8.2
CVE-2026-27018 [HIGH] Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
### Impact
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default `--chromium-deny-list` value is `^file:(?!//\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`.
The root cause is in `pkg/gotenberg/filter.go` — the `FilterDeadline` function compiles the deny-list regex with `regexp2.MustCompile(deni
GHSA
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
ghsa·2026-03-30·CVSS 8.2
CVE-2026-27018 [HIGH] CWE-22 Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)
### Impact
The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default `--chromium-deny-list` value is `^file:(?!//\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`.
The root cause is in `pkg/gotenberg/filter.go` — the `FilterDeadline` function compiles the deny-list regex with `regexp2.MustCompile(deni
OSV
CVE-2024-21527 in github.com/gotenberg/gotenberg
osv·2024-07-22·CVSS 8.2
CVE-2024-21527 [HIGH] CVE-2024-21527 in github.com/gotenberg/gotenberg
CVE-2024-21527 in github.com/gotenberg/gotenberg
CVE-2024-21527 in github.com/gotenberg/gotenberg
No detection rules found.
No public exploits indexed.
https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356https://github.com/gotenberg/gotenberg/commit/ad152e62e5124b673099a9103eb6e7f933771794https://github.com/gotenberg/gotenberg/releases/tag/v8.1.0https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGGOTENBERG-7537081https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESCHROMIUM-7537082https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOTENBERGGOTENBERGV8PKGMODULESWEBHOOK-7537083
2024-07-19
Published