GHSA-rqgh-gxv4-6657 CRITICAL go/github.com/gotenberg/gotenberg/v8

CVE: CVE-2026-42589

Unauthenticated RCE in Gotenberg via Metadata Key Newline Injection

Summary

Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring.

Vulnerability Details

FieldValue ProductGotenberg Version8.29.1 (default `gotenberg/gotenberg:8`) Component`pdfengines/metadata/write` endpoint CWECWE-78 — Improper Neutralization of Special Elements used in an OS Command

Affected Code

Product: Gotenberg

Endpoint: /forms/pdfengines/metadata/write

Root cause: JSON metadata keys are passed to go-exiftool without control-character

validation. The existing dangerousTags blocklist uses exact-match deletion and

provides no defense against \n-embedded keys.

The injection occurs because go-exiftool writes each key to ExifTool's stdin as:

fmt.Fprintln(e.stdin, "-"+k+"="+str)   // k contains \n → splits into a new argument line

When k is Title\n-if\nsystem('cmd')||1\n-Comment, ExifTool's stdin becomes:

-Title
-if
system('cmd')||1
-Comment=x

ExifTool's -if flag evaluates its argument as a Perl expression, giving the attacker arbitrary code execution.

Why it's vulnerable: Gotenberg is the HTTP entry point. It controls what data enters go-exiftool. The dangerousTags blocklist (FileName, Directory)

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42589 | 📅 2026-05-07