Threat Advisory

Gotenberg Vulnerability Enables Remote Denial of Service

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Gotenberg (go/github.com/gotenberg/gotenberg/v8) versions 8.10.0 through 8.32.0. The issues include a race condition that can cause a denial‑of‑service via concurrent map writes in multipart `downloadFrom` handling, and a path‑traversal flaw that allows crafted filenames to escape the extraction directory when a zip archive is generated. Both weaknesses can be triggered remotely without authentication, potentially crashing the service or writing files outside intended locations. The business risk includes service downtime, loss of availability, and potential exposure of internal file systems to attackers, undermining trust in document conversion workflows.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Gotenberg (go/github.com/gotenberg/gotenberg/v8) versions 8.10.0 through 8.32.0. The issues include a race condition that can cause a denial‑of‑service via concurrent map writes in multipart `downloadFrom` handling, and a path‑traversal flaw that allows crafted filenames to escape the extraction directory when a zip archive is generated. Both weaknesses can be triggered remotely without authentication, potentially crashing the service or writing files outside intended locations. The business risk includes service downtime, loss of availability, and potential exposure of internal file systems to attackers, undermining trust in document conversion workflows.[emaillocker id="1283"]

  • CVE-2026-45742 with a CVSS score of 7.5 – A race condition in the multipart `downloadFrom` processing allows an unauthenticated attacker to send a request containing many `downloadFrom` entries, causing concurrent writes to shared Go maps and triggering a fatal runtime crash. Exploitation requires network access to the Gotenberg endpoint and no prior authentication.
  • CVE-2026-44829 with a CVSS score of 8.8 – A path‑traversal issue arises from Windows‑style backslashes in uploaded filenames, permitting an attacker to craft a multipart file whose name includes sequences that are preserved in zip entries and extracted outside the intended directory on Windows systems. Exploitation requires the ability to upload a file, and no authentication is needed.

These vulnerabilities pose an immediate threat to service continuity and data integrity. If exploited, attackers can cause unplanned downtime or write files to unauthorized locations, potentially compromising downstream processes and eroding customer confidence. Prompt attention is essential to prevent service disruption.

RECOMMENDATION:

  • We recommend you to update Gotenberg to version 8.33.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-vp73-vjw8-8f32
https://github.com/advisories/GHSA-hwc4-gmrw-5222

[/emaillocker]
crossmenu