How severe is GHSA-jjwv-57xh-xr6r?

No CVSS score has been assigned to GHSA-jjwv-57xh-xr6r yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-jjwv-57xh-xr6r?

GHSA-jjwv-57xh-xr6r affects the following packages: github.com/gotenberg/gotenberg/v8 (Go), github.com/gotenberg/gotenberg/v7 (Go). Ecosystems affected: Go.

How do I fix GHSA-jjwv-57xh-xr6r?

Update github.com/gotenberg/gotenberg/v8 to 8.29.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jjwv-57xh-xr6r is resolved across your whole dependency graph.

How do I detect GHSA-jjwv-57xh-xr6r in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/gotenberg/gotenberg/v8. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-jjwv-57xh-xr6r if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-jjwv-57xh-xr6r?

O3 pinpoints whether GHSA-jjwv-57xh-xr6r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-jjwv-57xh-xr6r actively exploited in the wild?

No public exploit code has been indexed for GHSA-jjwv-57xh-xr6r yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-jjwv-57xh-xr6r?

GHSA-jjwv-57xh-xr6r has an EPSS (Exploit Prediction Scoring System) score of 0.5%, placing it in the 41th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-jjwv-57xh-xr6r?

GHSA-jjwv-57xh-xr6r is classified as Path Traversal (CWE-22), Server-Side Request Forgery (SSRF) (CWE-918). These weakness types describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-jjwv-57xh-xr6r published, and has it been updated?

GHSA-jjwv-57xh-xr6r was published on March 30, 2026 and was last updated on April 6, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-jjwv-57xh-xr6r

Gotenberg has Chromium deny-list bypass via case-insensitive URL scheme (bypass of GHSA-rh2x-ccvw-q7r3)

Also known asCVE-2026-27018GO-2026-4905

Published

Mar 30, 2026

Updated

Apr 6, 2026

Affected

2 pkgs

Patched

1 / 2

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.5%probability of exploitation in next 30 days

Lower Risk41th percentile+0.51%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

🐹github.com/gotenberg/gotenberg/v8🐹github.com/gotenberg/gotenberg/v7

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes.

The default --chromium-deny-list value is ^file:(?!//\/tmp/).*. This regex is anchored to lowercase file: at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like FILE:///etc/passwd or File:///etc/passwd bypasses the deny-list check but still gets resolved by Chromium as file:///etc/passwd.

The root cause is in pkg/gotenberg/filter.go — the FilterDeadline function compiles the deny-list regex with regexp2.MustCompile(denied.String(), 0), where 0 means no flags (case-sensitive). Since the regex pattern itself doesn't include a (?i) flag, matching is strictly case-sensitive.

This affects both the URL endpoint and HTML conversion (via iframes, link tags, etc.).

Steps to Reproduce

Start Gotenberg with default settings:

docker run --rm -p 3000:3000 gotenberg/gotenberg:8.26.0 gotenberg

Read /etc/passwd via the URL endpoint using an uppercase scheme:

curl -X POST 'http://localhost:3000/forms/chromium/convert/url' \
  --form 'url=FILE:///etc/passwd' -o output.pdf

Open output.pdf — it contains the contents of /etc/passwd.
Alternatively, create an index.html:

<iframe src="FILE:///etc/passwd" width="100%" height="100%"></iframe>

Then convert it:

curl -X POST 'http://localhost:3000/forms/chromium/convert/html' \
  -F '[email protected]' -o output.pdf

The resulting PDF contains /etc/passwd contents.

Mixed-case variants like File:, fILE:, fiLE: etc. all work as well.

Root Cause

pkg/modules/chromium/chromium.go defines the default deny-list as ^file:(?!//\/tmp/).*
pkg/gotenberg/filter.go compiles this with regexp2.MustCompile(denied.String(), 0) — flag 0 means case-sensitive
pkg/modules/chromium/events.go uses FilterDeadline to check intercepted request URLs against the deny-list
Chromium normalizes URL schemes to lowercase, so FILE:///etc/passwd becomes file:///etc/passwd after the deny-list check has already passed

Suggested Fix

Change the default deny-list regex to use a case-insensitive flag:

(?i)^file:(?!//\/tmp/).*

Or apply case-insensitive matching in FilterDeadline when compiling the regex.

Severity

This is effectively the same impact as CVE-2024-21527 — unauthenticated arbitrary file read from the Gotenberg container. An attacker can leak environment variables, configuration, credentials, and other sensitive data.

Affected Packages

2 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/gotenberg/gotenberg/v8`	all versions	8.29.0
🐹Go	`github.com/gotenberg/gotenberg/v7`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/gotenberg/gotenberg/v8. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/gotenberg/gotenberg/v8 to 8.29.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jjwv-57xh-xr6r is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-jjwv-57xh-xr6r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-jjwv-57xh-xr6r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact The fix introduced in version 8.1.0 for GHSA-rh2x-ccvw-q7r3 (CVE-2024-21527) can be bypassed using mixed-case or uppercase URL schemes. The default `--chromium-deny-list` value is `^file:(?!//\/tmp/).*`. This regex is anchored to lowercase `file:` at the start. However, per RFC 3986 Section 3.1, URI schemes are case-insensitive. Chromium normalizes the scheme to lowercase before navigation, so a URL like `FILE:///etc/passwd` or `File:///etc/passwd` bypasses the deny-list check but still gets resolved by Chromium as `file:///etc/passwd`. The root cause is in `pkg/gotenberg/filter.

O3 Security · Impact-Aware SCA

Is GHSA-jjwv-57xh-xr6r in your dependencies?

O3 detects GHSA-jjwv-57xh-xr6r across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works