PatchSiren cyber security CVE debrief
CVE-2026-42592 Thecodingmachine CVE debrief
A time-of-check to time-of-use (TOCTOU) vulnerability in Gotenberg's URL filtering allows DNS rebinding attacks against internal services. The FilterOutboundURL function performs initial DNS resolution and IP validation, but discards resolved addresses. Chromium subsequently performs its own DNS resolution when navigating, creating a window where an attacker controlling DNS with short TTL records can return a public IP during Gotenberg's check and a private IP during Chromium's connection. The CDP Fetch.requestPaused handler performs additional DNS resolution, but this occurs before Chromium's TCP connect, leaving a exploitable timing gap. Successful exploitation renders attacker-chosen internal service responses as PDF output to the caller.
- Vendor
- Thecodingmachine
- Product
- Gotenberg
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-18
Who should care
Organizations running Gotenberg PDF generation services, particularly those deployed with access to internal networks or services. Security teams managing containerized document processing pipelines and developers integrating Gotenberg into applications that process untrusted URLs.
Technical summary
Gotenberg versions prior to 8.32.0 contain a time-of-check to time-of-use vulnerability in the FilterOutboundURL function. The function resolves hostnames and validates IPs against a private-address deny-list, but discards resolved addresses rather than passing them to Chromium. Chromium performs independent DNS resolution when navigating to URLs, enabling DNS rebinding attacks where an attacker-controlled DNS server returns a public IP during Gotenberg's validation check and a private IP during Chromium's subsequent resolution. The Chrome DevTools Protocol Fetch.requestPaused handler re-checks URLs but performs its own DNS resolution, occurring before Chromium's TCP connection and leaving a exploitable timing window. This allows attackers to render responses from internal services as PDF output.
Defensive priority
medium
Recommended defensive actions
- Upgrade Gotenberg to version 8.32.0 or later to obtain the fix for this DNS rebinding vulnerability
- If immediate patching is not possible, implement network-level egress filtering to restrict Gotenberg container outbound connections to expected destinations
- Consider deploying DNS security controls that detect or block suspicious rapid IP changes for hostnames with short TTLs
- Monitor Gotenberg instance network traffic for anomalous connections to internal RFC 1918 addresses or unexpected internal services
- Review application architecture to ensure Gotenberg instances operate in isolated network segments without access to sensitive internal services
Evidence notes
Vendor advisory confirms TOCTOU condition between FilterOutboundURL DNS check and Chromium navigation. CWE-367 (TOCTOU) and CWE-918 (SSRF) classifications support the DNS rebinding attack vector. Fix version 8.32.0 addresses the vulnerability.
Official resources
-
CVE-2026-42592 CVE record
CVE.org
-
CVE-2026-42592 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
2026-05-14