CVE-2026-45742
published 2026-05-29CVE-2026-45742: Gotenberg has a Race Condition via Multipart `downloadFrom` Handling ### Summary Gotenberg is vulnerable to a remote denial of service in multipart…
high
Gotenberg has a Race Condition via Multipart `downloadFrom` Handling ### Summary Gotenberg is vulnerable to a remote denial of service in multipart `downloadFrom` handling. A multipart request containing multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with `fatal error: concurrent map writes`. In the default configuration, `downloadFrom` is enabled and authentication is disabled, so an exposed instance can be crashed by an unauthenticated remote attacker. ### Details The issue is in `pkg/modules/api/context.go`. `newContext` parses multipart requests and processes the `downloadFrom` form field before the route handler runs. For each `downloadFrom` entry, it starts a goroutine via `errgroup.Go()`: - `pkg/modules/api/context.go:221` Each goroutine downloads a file and then writes to request context maps shared by all goroutines: - `ctx.files[filename] = path` - `ctx.diskToOriginal[path] = filename` - `ctx.filesByField[...] = append(...)` Affected lines in current `main`: - `pkg/modules/api/context.go:395` - `pkg/modules/api/context.go:396` - `pkg/modules/api/context.go:401` Go maps and slices are not safe for concurrent writes. A crafted multipart request with many `downloadFrom` entries can therefore trigger a runtime crash. The vulnerable `downloadFrom` feature was introduced in commit `f2b6bd3d`. The first tagged release containing this code appears to be `v8.10.0`. ### PoC The following self-contained command creates a temporary test file, runs the PoC, and removes the file afterwards. It does not require any external network access. Run from the repository root: cat > pkg/modules/api/downloadfrom_race_poc_test.go <<'EOF' //go:build security_poc package api import ( "bytes" "encoding/json" "fmt" "log/slog" "mime/multipart" "net/http" "net/http/httptest" "sync" "testing" "time" "github.com/labstack/echo/v4" "github.com/gotenberg/gotenberg/v8/pkg/gotenb
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gotenberg_gotenberg_v8 | >= 8.10.0 < 8.33.0 | 8.33.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published