CVE-2026-42592 - Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion ro
CVE-2026-42592 - Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion ro
GHSA-2pmr-289p-44r3 MEDIUM go/github.com/gotenberg/gotenberg/v8
CVE: CVE-2026-42592
Summary
FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname with a short TTL returns a public IP on the first query (Gotenberg allows) and a private IP on the second query (Chromium connects to the attacker-chosen internal address). The CDP Fetch.requestPaused handler re-checks the URL but runs its own DNS resolution, leaving a timing window before Chromium's actual TCP connect. The rendered internal service response returns to the caller as a PDF.
Details
pkg/gotenberg/outbound.go:227-230 drops the pinned IPs from the outbound decision:
func FilterOutboundURL(ctx context.Context, rawURL string, allowList, denyList []*regexp2.Regexp, deadline time.Time) error {
_, err := decideOutbound(ctx, rawURL, allowList, denyList, deadline)
return err
}The Chromium convert path at pkg/modules/chromium/browser.go:341 calls FilterOutboundURL(ctx, url, b.arguments.allowList, b.arguments.denyList, deadline) and, on success, hands the raw URL string to Chromium via CDP. Chromium's network stack issues its own DNS lookup for the hostname, independent of Go's resolver.
The CDP Fetch.requestPaused listener at pkg/modules/chromium/events.go:55 runs a second check:
err := gotenberg.FilterOutboundURL(ctx, e.Request.URL, options.allowList, options.denyList, deadline)This also calls decideOutbound, which again resolves DNS, checks, and returns only the error. After the handler calls fetch.ContinueRequest at line 101, Chromium proceeds to the actual TCP connect and resolves DNS one more time. Between the second check and the connect, the DNS answer can change.
The webhook and downloadFrom paths avoid this class by using gotenberg.NewOutboundHttpClient at pkg/gotenberg/outbound.go:269-280, whic
📌 来源: GitHub-Advisory | 🆔 CVE-2026-42592 | 📅 2026-05-07