CVE-2026-42595 - Gotenberg Chromium URL SSRF

Gotenberg’s Chromium URL-to-PDF endpoint could fetch arbitrary HTTP/HTTPS targets, including loopback, RFC 1918, and cloud metadata addresses. Even when operators configured deny-lists, redirects could send Chromium or Go HTTP clients to internal targets after the initial URL passed validation.

This is a context-egress issue for document conversion services: a benign “render this URL” workflow becomes an internal network read primitive.

When to use it

Use this recipe when a document conversion service, browser-rendering pipeline, or agent workflow sends user-controlled URLs to Gotenberg Chromium URL-to-PDF. It supports source-code remediation, context-egress review, redirect-aware URL policy, and audit evidence that conversion cannot reach loopback, private networks, or cloud metadata services.

Inputs

  • Gotenberg version, Chromium route exposure, URL allow/deny policy, redirect handling, network egress controls, and deployment ingress.
  • Source/config paths that accept URLs, call Gotenberg, validate destinations, follow redirects, render PDFs, or serialize conversion logs.
  • Regression fixtures for private IPs, metadata IPs, loopback, redirect chains, allowed public URLs, mixed-case schemes, and expected deny behavior.
  • Boundary evidence: reachable internal services, egress firewall/proxy policy, conversion callers, logs, and rollout owner.

Affected versions

Package Vulnerable versions Fixed versions
github.com/gotenberg/gotenberg/v8 <8.32.0 8.32.0

Indicator-of-exposure

  • The repository deploys Gotenberg v8 before 8.32.0.
  • /forms/chromium/convert/url, downloadFrom, or webhook features are reachable by users, tenants, jobs, agents, or internal services.
  • Gotenberg can route to cloud metadata, loopback, Kubernetes services, internal admin panels, monitoring endpoints, or private APIs.
  • URL allow/deny policy only checks the initial URL and not redirect targets.

Quick checks:

rg -n "gotenberg|forms/chromium/convert/url|downloadFrom|Gotenberg-Webhook|webhook|8\\.3[01]|chromium.*deny|169\\.254\\.169\\.254" .
docker images | rg -i "gotenberg"
go list -m all 2>/dev/null | rg "gotenberg/gotenberg"

Remediation strategy

  • Upgrade all Gotenberg deployments to 8.32.0+ and pin image digests.
  • Add network egress policy that denies cloud metadata, loopback, link-local, private address ranges, cluster service CIDRs, and internal admin networks from the Gotenberg workload.
  • Require explicit URL allow-lists for URL-to-PDF features where practical.
  • Validate redirect destinations, not only the first URL.
  • Add safe tests for internal-address and redirect denial using local fixtures.

The prompt

You are remediating CVE-2026-42595 in Gotenberg. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Gotenberg, hardens URL fetch
  and egress policy, adds redirect-aware tests, refreshes generated artifacts,
  and documents operator actions, or
- TRIAGE.md if this repository does not control an affected Gotenberg runtime.

## Rules

- Scope only CVE-2026-42595 and directly related Gotenberg SSRF controls.
- Do not request cloud metadata endpoints, internal admin panels, credentials,
  Kubernetes APIs, or private services to prove exposure.
- Do not print or commit rendered internal responses, tokens, headers, PDFs,
  metadata, cookies, or service discovery output.
- Do not rely on regex-only URL checks as the only mitigation.
- Do not auto-merge.

## Steps

1. Inventory Dockerfiles, compose files, Helm charts, Kubernetes manifests,
   Terraform, lockfiles, Go modules, SBOMs, docs, and app config for Gotenberg.
2. Determine every Gotenberg version or image digest. A target is vulnerable if
   it runs Gotenberg v8 `<8.32.0`.
3. Find all callers and exposed routes for `/forms/chromium/convert/url`,
   `downloadFrom`, webhooks, URL-to-PDF conversion, and document conversion
   APIs that accept user, tenant, workflow, or agent-supplied URLs.
4. Upgrade Gotenberg to `8.32.0+` and pin the image by digest where the repo
   controls images. Regenerate manifests, SBOMs, deployment render output, and
   dependency reports.
5. Add workload egress controls denying:
   - `169.254.169.254` and cloud metadata ranges;
   - loopback and link-local addresses;
   - RFC 1918/private ranges unless explicitly allowed;
   - Kubernetes service CIDRs and internal admin networks.
6. Add app-level URL policy where the repo owns callers:
   - prefer allow-lists for trusted render origins;
   - block redirects to denied ranges;
   - limit fetch timeout, response size, and content type;
   - log decisions without logging sensitive URLs or responses.
7. Add safe tests using local dummy hosts to assert private-address and
   redirect targets are blocked. Do not contact real metadata services.
8. Add a PR body section named `CVE-2026-42595 operator actions` covering:
   Gotenberg versions before/after, exposed conversion routes, egress policy,
   URL allow-list posture, artifacts rebuilt, and whether logs should be
   reviewed for suspicious internal URL conversion.
9. Run validation: deployment render, container build, policy tests, unit tests,
   lint/typecheck, SBOM refresh, and dependency/security scans.
10. Use PR title:
    `fix(sec): block Gotenberg Chromium SSRF`.

## Stop conditions

- Gotenberg is not present or is managed outside this repository.
- All controlled deployments already run `8.32.0+` and egress policy is
  documented.
- Verification would require contacting real internal services or metadata
  endpoints.
- The product intentionally allows arbitrary URL rendering from untrusted users
  without egress policy; document the owner decision in TRIAGE.md.

Output contract

  • A reviewer-ready PR or change request that upgrades Gotenberg, blocks metadata/internal egress, adds redirect-aware URL policy tests, and documents conversion pipeline controls.
  • Or a TRIAGE.md file that lists inspected files/config, owner, observed version, URL rendering boundary, egress policy, required fix, and residual risk.
  • The output must include exact validation commands and must not fetch cloud metadata, internal systems, local services, or customer documents.

Verification - what the reviewer looks for

  • No controlled Gotenberg deployment runs <8.32.0.
  • Egress policy blocks metadata, loopback, link-local, private, and cluster internal ranges unless explicitly justified.
  • Redirect-aware tests prove deny policy is applied after redirects.
  • No sensitive rendered response data is committed or logged.

Watch for

  • Sidecar or worker Gotenberg deployments versioned separately from the main application.
  • Caller-side URL allow-lists that miss redirects, DNS rebinding, IPv6, or IPv4-mapped IPv6 forms.
  • Older Gotenberg SSRF advisories in the same upgrade window.

References