安全情报

CVE-2026-42597 - Gotenberg allows Chromium URL conversion routes to read arbitrary files under /t

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-07

CVE-2026-42597 - Gotenberg allows Chromium URL conversion routes to read arbitrary files under /t

CVE-2026-42597

GHSA-g924-cjx7-2rjw MEDIUM go/github.com/gotenberg/gotenberg/v8

CVE: CVE-2026-42597

Summary

The /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a per-request AllowedFilePrefixes guard to scope the read. The URL routes never set AllowedFilePrefixes, so the scope guard silently skips. Alice enumerates /tmp/, walks Gotenberg's per-request working directories, and reads the raw source files of other in-flight conversions as rendered PDF output.

Details

The default deny-list regex at pkg/modules/chromium/chromium.go:449 uses a negative lookahead to exempt /tmp/:

fs.StringSlice("chromium-deny-list",
    []string{`^file:(?!//\/tmp/).*`},
    "Set the denied URLs for Chromium using regular expressions - supports multiple values")

pkg/gotenberg/outbound.go:185-187 short-circuits IP validation for non-HTTP schemes:

if !httpLikeScheme(parsed.Scheme) {
    return outboundDecision{}, nil
}

So any file:///tmp/... URL passes FilterOutboundURL cleanly.

The HTML route pairs the exemption with a per-request scope guard (pkg/modules/chromium/routes.go:518):

options.AllowedFilePrefixes = []string{ctx.DirPath()}

and the CDP Fetch.requestPaused handler enforces the scope (pkg/modules/chromium/events.go:65-78):

if allow && strings.HasPrefix(e.Request.URL, "file://") && len(options.allowedFilePrefixes) > 0 {
    prefixMatch := false
    for _, prefix := range options.allowedFilePrefixes {
        if strings.HasPrefix(e.Request.URL, "file://"+prefix) {
            prefixMatch = true
            break
        }
    }
    if !prefixMatch {
        allow = false
    }
}

The len(options.allowedFilePrefixes) > 0 condition skips the entire enforcement block when the slice is empty. The URL route handler at pkg/modules/chromium/routes.go:406-448 (convertUrlRoute) n

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42597 | 📅 2026-05-07