Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-2mrg-35hw-x3x9 | Gotenberg: SSRF via LibreOffice document processing |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 10 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gotenberg
Gotenberg gotenberg |
|
| Vendors & Products |
Gotenberg
Gotenberg gotenberg |
Fri, 10 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.34.0, Gotenberg's /forms/libreoffice/convert endpoint allows a specially crafted document to cause LibreOffice to automatically retrieve external HTTP(S) resources and local file resources during document conversion, enabling blind SSRF and limited local file disclosure via linked image resource loading. This issue is fixed in version 8.34.0. | |
| Title | Gotenberg: SSRF via LibreOffice document processing | |
| Weaknesses | CWE-918 | |
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-10T20:35:12.809Z
Reserved: 2026-06-16T16:16:32.628Z
Link: CVE-2026-55229
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T21:30:04Z
Weaknesses
Github GHSA