CVE-2026-42589
CriticalSummary
Gotenberg is a PDF file API that, prior to version 8.31.0, did not validate keys in JSON objects sent to the /forms/pdfengines/metadata/write endpoint. Using a newline character in a JSON key allows for the injection of arbitrary ExifTool flags, leading to unauthenticated OS command execution.
Risk Assessment
An attacker can gain access to the operating system by executing arbitrary commands, posing a serious security threat to the organization. Additionally, the attack response is difficult to detect as it returns a valid PDF file.
Recommendation
It is recommended to update Gotenberg to version 8.31.0 or later to eliminate this vulnerability. Consider implementing additional monitoring and input validation mechanisms.
Original NVD description (English source)
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argument line, allowing an attacker to inject arbitrary ExifTool flags — including -if, which evaluates Perl expressions. This achieves unauthenticated OS command execution in a single HTTP request. The response is HTTP 200 with a valid PDF, making the attack transparent to basic monitoring. This vulnerability is fixed in 8.31.0.

