CVE-2026-39383— Gotenberg unauthenticated blind SSRF via unfiltered webhook URL

Gotenberg unauthenticated blind SSRF via unfiltered webhook URL

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.

N/A

服务端请求伪造(SSRF)

Gotenberg 代码问题漏洞

Gotenberg是Gotenberg开源的一个开发人员友好的 API。用于将多种文档格式转换为 PDF 文件。 Gotenberg 8.29.1版本存在代码问题漏洞，该漏洞源于FilterDeadline函数在允许列表和拒绝列表均为空时无条件返回nil，允许任意URL，可能导致未经身份验证的攻击者通过特制URL强制服务器向任意内部或外部目标发起HTTP POST请求，实现盲SSRF攻击。

N/A

N/A