DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QMWH-9M9C-H36M: GHSA-QMWH-9M9C-H36M: Arbitrary File Write and Blocklist Bypass in Gotenberg ExifTool Integration

#security #cve #cybersecurity #ghsa

GHSA-QMWH-9M9C-H36M: Arbitrary File Write and Blocklist Bypass in Gotenberg ExifTool Integration

Vulnerability ID: GHSA-QMWH-9M9C-H36M
CVSS Score: 8.7
Published: 2026-04-07

Gotenberg version 8.29.0 contains an incomplete fix for an arbitrary file write vulnerability within its ExifTool metadata update process. The initial patch implemented a case-sensitive blocklist that attackers can bypass using alternate casing or previously unblocked pseudo-tags, leading to arbitrary file writes, renames, and hard or symbolic link creation.

TL;DR

An unauthenticated arbitrary file write vulnerability in Gotenberg stems from a case-sensitive blocklist bypass. Attackers leverage ExifTool's case-insensitive pseudo-tags to manipulate server files, compromising system integrity.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-178
  • CVSS Score: 8.7
  • Attack Vector: Network
  • Authentication Required: None
  • Privileges Required: None
  • Exploit Status: Proof-of-Concept
  • Impact: Arbitrary File Write / System Integrity Compromise

Affected Systems

  • Gotenberg v8.29.0
  • ExifTool metadata processing pipeline
  • Gotenberg: >= 8.29.0, < 8.30.0 (Fixed in: 8.30.0)

Code Analysis

Commit: 15050a3

Fix blocklist bypass by using case-insensitive metadata key comparison and expanding blocked tags.

Exploit Details

  • Official Advisory: Proof-of-concept curl commands demonstrating the case-sensitive bypass and missing pseudo-tags.

Mitigation Strategies

  • Upgrade to patched software version
  • Network segmentation and access control
  • API request payload inspection

Remediation Steps:

  1. Upgrade Gotenberg deployment to version 8.30.0 or higher.
  2. Configure network policies or reverse proxy configurations to ensure the Gotenberg API is inaccessible from the public internet.
  3. Implement WAF rules to inspect JSON metadata payloads and block requests containing keys matching case-insensitive regular expressions for filename, directory, hardlink, and symlink.
  4. Deploy host-based file integrity monitoring (FIM) within the container environment to alert on suspicious file movements originating from the Gotenberg process.

References

Read the full report for GHSA-QMWH-9M9C-H36M on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)