CVE-2024-21527

by Fred · 19/07/2024

Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as . By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read on the host system. WorkaroundAn alternative is using either or both –chromium-deny-list and –chromium-allow-list flags.</p> <p>More information : <a href="https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356">https://gist.github.com/filipochnik/bc88a3d1cc17c07cec391ee98e1e6356</a></p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-x"><a rel="nofollow noopener noreferrer" data-shared="sharing-x-639920" class="share-x sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=x" target="_blank" aria-labelledby="sharing-x-639920" > <span id="sharing-x-639920" hidden>Click to share on X (Opens in new window)</span> <span>X</span> </a></li><li class="share-bluesky"><a rel="nofollow noopener noreferrer" data-shared="sharing-bluesky-639920" class="share-bluesky sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=bluesky" target="_blank" aria-labelledby="sharing-bluesky-639920" > <span id="sharing-bluesky-639920" hidden>Click to share on Bluesky (Opens in new window)</span> <span>Bluesky</span> </a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-639920" class="share-facebook sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=facebook" target="_blank" aria-labelledby="sharing-facebook-639920" > <span id="sharing-facebook-639920" hidden>Click to share on Facebook (Opens in new window)</span> <span>Facebook</span> </a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-639920" class="share-linkedin sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=linkedin" target="_blank" aria-labelledby="sharing-linkedin-639920" > <span id="sharing-linkedin-639920" hidden>Click to share on LinkedIn (Opens in new window)</span> <span>LinkedIn</span> </a></li><li class="share-threads"><a rel="nofollow noopener noreferrer" data-shared="sharing-threads-639920" class="share-threads sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=threads" target="_blank" aria-labelledby="sharing-threads-639920" > <span id="sharing-threads-639920" hidden>Click to share on Threads (Opens in new window)</span> <span>Threads</span> </a></li><li class="share-mastodon"><a rel="nofollow noopener noreferrer" data-shared="sharing-mastodon-639920" class="share-mastodon sd-button share-icon no-text" href="https://security.nuyts.tech/cve-2024-21527/?share=mastodon" target="_blank" aria-labelledby="sharing-mastodon-639920" > <span id="sharing-mastodon-639920" hidden>Click to share on Mastodon (Opens in new window)</span> <span>Mastodon</span> </a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Similar</em></h3> </div> <nav class="pagination group"> </nav> </div> <div class="clear"></div> </div> </div> </article> <div class="clear"></div> <p class="post-tags"><span>Tags:</span> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" rel="tag">Cybersecurity Alert</a></p> <section id="comments" class="themeform">  </section> </div> </main> <div class="sidebar s1 collapsed" data-position="left" data-layout="col-2cr" data-sb-id="s1"> <button class="sidebar-toggle" title="Expand Sidebar"><i class="fas sidebar-toggle-arrows"></i></button> <div class="sidebar-content"> <ul class="post-nav group"> <li class="next"><strong>Next story </strong><a href="https://security.nuyts.tech/cve-2024-5604/" rel="next"><i class="fas fa-chevron-right"></i><span>CVE-2024-5604</span></a></li> <li class="previous"><strong>Previous story </strong><a href="https://security.nuyts.tech/cve-2024-6898/" rel="prev"><i class="fas fa-chevron-left"></i><span>CVE-2024-6898</span></a></li> </ul> <div id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://security.nuyts.tech/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></div> <div id="recent-posts-2" class="widget widget_recent_entries"> <h3 class="widget-title">Recent Posts</h3> <ul> <li> <a href="https://security.nuyts.tech/cve-2025-7367/">CVE-2025-7367</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-7360/">CVE-2025-7360</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-7341/">CVE-2025-7341</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-7340/">CVE-2025-7340</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-5394/">CVE-2025-5394</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-5393/">CVE-2025-5393</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-6265/">CVE-2025-6265</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53891/">CVE-2025-53891</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53890/">CVE-2025-53890</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53889/">CVE-2025-53889</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53887/">CVE-2025-53887</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53886/">CVE-2025-53886</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53885/">CVE-2025-53885</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53839/">CVE-2025-53839</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53836/">CVE-2025-53836</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53835/">CVE-2025-53835</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53834/">CVE-2025-53834</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53833/">CVE-2025-53833</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53825/">CVE-2025-53825</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53824/">CVE-2025-53824</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53823/">CVE-2025-53823</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53822/">CVE-2025-53822</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53821/">CVE-2025-53821</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53820/">CVE-2025-53820</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53819/">CVE-2025-53819</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53818/">CVE-2025-53818</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53643/">CVE-2025-53643</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53640/">CVE-2025-53640</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53639/">CVE-2025-53639</a> </li> <li> <a href="https://security.nuyts.tech/cve-2025-53623/">CVE-2025-53623</a> </li> </ul> </div><div id="categories-2" class="widget widget_categories"><h3 class="widget-title">Categories</h3> <ul> <li class="cat-item cat-item-13"><a href="https://security.nuyts.tech/category/critical-cyberalert/">Critical cyberalert</a> </li> <li class="cat-item cat-item-2"><a href="https://security.nuyts.tech/category/vulnerabilities/">Vulnerabilities</a> </li> </ul> </div><div id="tag_cloud-2" class="widget widget_tag_cloud"><h3 class="widget-title">Tags</h3><div class="tagcloud"><a href="https://security.nuyts.tech/tag/cisa/" class="tag-cloud-link tag-link-18 tag-link-position-1" style="font-size: 8pt;" aria-label="CISA (1 item)">CISA</a> <a href="https://security.nuyts.tech/tag/cybersecurity-alert/" class="tag-cloud-link tag-link-3 tag-link-position-2" style="font-size: 22pt;" aria-label="Cybersecurity Alert (277,336 items)">Cybersecurity Alert</a> <a href="https://security.nuyts.tech/tag/shields-up/" class="tag-cloud-link tag-link-14 tag-link-position-3" style="font-size: 8pt;" aria-label="Shields Up (1 item)">Shields Up</a></div> </div> </div> </div> </div> </div> </div> </div> <footer id="footer"> <section class="container" id="footer-bottom"> <div class="container-inner"> <a id="back-to-top" href="#"><i class="fas fa-angle-up"></i></a> <div class="hu-pad group"> <div class="grid one-half"> <div id="copyright"> <p>© 1999-2025 <a href="https://www.nuyts.tech">NUYTSTECH</a>. All Rights Reserved. Use of the CVE (Common Vulnerabilities and Exposures) from this non-profit website are subject to the terms of use.</p> </div> </div> <div class="grid one-half last"> <ul class="social-links"><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Twitter-square" aria-label="Follow us on Twitter-square" href="https://twitter.com/NUYTSTECH" target="_blank" ><i class="fab fa-twitter-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Facebook" aria-label="Follow us on Facebook" href="https://www.facebook.com/nuytstech" target="_blank" ><i class="fab fa-facebook-square"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Instagram" aria-label="Follow us on Instagram" href="https://www.instagram.com/nuyts.tech/" target="_blank" ><i class="fab fa-instagram"></i></a></li><li><a rel="nofollow noopener noreferrer" class="social-tooltip" title="Follow us on Tumblr" aria-label="Follow us on Tumblr" href="https://nuytstech.tumblr.com/" target="_blank" ><i class="fab fa-tumblr-square"></i></a></li></ul> </div> </div> </div> </section> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/hueman\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-BDBTK0NYFL"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-BDBTK0NYFL'); </script>  <script>  <script type="importmap" id="wp-importmap"> {"imports":{"@wordpress\/interactivity":"https:\/\/security.nuyts.tech\/wp-includes\/js\/dist\/script-modules\/interactivity\/index.min.js?ver=55aebb6e0a16726baffb"}} </script> <script type="module" src="https://security.nuyts.tech/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-forms/src/contact-form/../../dist/modules/form/view.js?ver=14.8" id="jp-forms-view-js-module"></script> <link rel="modulepreload" href="https://security.nuyts.tech/wp-includes/js/dist/script-modules/interactivity/index.min.js?ver=55aebb6e0a16726baffb" id="@wordpress/interactivity-js-modulepreload"><script type="application/json" id="wp-script-module-data-@wordpress/interactivity"> {"config":{"jetpack/form":{"error_types":{"is_required":"This field is required.","invalid_form_empty":"The form you are trying to submit is empty.","invalid_form":"Please fill out the form correctly."}}}} </script> <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/security.nuyts.tech\/cve-2024-21527\/":639920}; </script> <script id="cookie-notice-front-js-before"> var cnArgs = {"ajaxUrl":"https:\/\/security.nuyts.tech\/wp-admin\/admin-ajax.php","nonce":"0dad1f11f8","hideEffect":"fade","position":"bottom","onScroll":false,"onScrollOffset":100,"onClick":false,"cookieName":"cookie_notice_accepted","cookieTime":2592000,"cookieTimeRejected":2592000,"globalCookie":false,"redirection":false,"cache":true,"revokeCookies":false,"revokeCookiesOpt":"automatic"}; </script> <script src="https://security.nuyts.tech/wp-content/plugins/cookie-notice/js/front.min.js?ver=2.5.7" id="cookie-notice-front-js"></script> <script src="https://c0.wp.com/c/6.8.2/wp-includes/js/underscore.min.js" id="underscore-js"></script> <script id="hu-front-scripts-js-extra"> var HUParams = {"_disabled":[],"SmoothScroll":{"Enabled":false,"Options":{"touchpadSupport":false}},"centerAllImg":"1","timerOnScrollAllBrowsers":"1","extLinksStyle":"","extLinksTargetExt":"","extLinksSkipSelectors":{"classes":["btn","button"],"ids":[]},"imgSmartLoadEnabled":"","imgSmartLoadOpts":{"parentSelectors":[".container .content",".post-row",".container .sidebar","#footer","#header-widgets"],"opts":{"excludeImg":[".tc-holder-img"],"fadeIn_options":100,"threshold":0}},"goldenRatio":"1.618","gridGoldenRatioLimit":"350","sbStickyUserSettings":{"desktop":false,"mobile":false},"sidebarOneWidth":"340","sidebarTwoWidth":"260","isWPMobile":"","menuStickyUserSettings":{"desktop":"stick_up","mobile":"stick_up"},"mobileSubmenuExpandOnClick":"1","submenuTogglerIcon":"<i class=\"fas fa-angle-down\"><\/i>","isDevMode":"","ajaxUrl":"https:\/\/security.nuyts.tech\/?huajax=1","frontNonce":{"id":"HuFrontNonce","handle":"9b1f3c9fc7"},"isWelcomeNoteOn":"","welcomeContent":"","i18n":{"collapsibleExpand":"Expand","collapsibleCollapse":"Collapse"},"deferFontAwesome":"","fontAwesomeUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/css\/font-awesome.min.css?3.7.27","mainScriptUrl":"https:\/\/security.nuyts.tech\/wp-content\/themes\/hueman\/assets\/front\/js\/scripts.min.js?3.7.27","flexSliderNeeded":"","flexSliderOptions":{"is_rtl":false,"has_touch_support":true,"is_slideshow":false,"slideshow_speed":5000},"fitTextMap":{"single_post_title":{"selectors":".single h1.entry-title","minEm":1.375,"maxEm":2.62},"page_title":{"selectors":".page-title h1","minEm":1,"maxEm":1.3},"home_page_title":{"selectors":".home .page-title","minEm":1,"maxEm":1.2,"compression":2.5},"post_titles":{"selectors":".blog .post-title, .archive .post-title","minEm":1.375,"maxEm":1.475},"featured_post_titles":{"selectors":".featured .post-title","minEm":1.375,"maxEm":2.125},"comments":{"selectors":".commentlist li","minEm":0.8125,"maxEm":0.93,"compression":2.5},"entry":{"selectors":".entry","minEm":0.9375,"maxEm":1.125,"compression":2.5},"content_h1":{"selectors":".entry h1, .woocommerce div.product h1.product_title","minEm":1.7578125,"maxEm":2.671875},"content_h2":{"selectors":".entry h2","minEm":1.5234375,"maxEm":2.390625},"content_h3":{"selectors":".entry h3","minEm":1.40625,"maxEm":1.96875},"content_h4":{"selectors":".entry h4","minEm":1.2890625,"maxEm":1.6875},"content_h5":{"selectors":".entry h5","minEm":1.0546875,"maxEm":1.40625},"content_h6":{"selectors":".entry h6","minEm":0.9375,"maxEm":1.265625,"compression":2.5}},"userFontSize":"16","fitTextCompression":"1.5"}; </script> <script src="https://security.nuyts.tech/wp-content/themes/hueman/assets/front/js/scripts.min.js?ver=3.7.27" id="hu-front-scripts-js" defer></script> <script id="jetpack-stats-js-before"> _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"197793834\",\"post\":\"639920\",\"tz\":\"2\",\"srv\":\"security.nuyts.tech\",\"j\":\"1:14.8\"}") ]); _stq.push([ "clickTrackerInit", "197793834", "639920" ]); </script> <script src="https://stats.wp.com/e-202530.js" id="jetpack-stats-js" defer data-wp-strategy="defer"></script> <script id="sharing-js-js-extra"> var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; </script> <script src="https://c0.wp.com/p/jetpack/14.8/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script id="sharing-js-js-after"> var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-x' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-x' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomx', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-bluesky' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-bluesky' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcombluesky', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-threads' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-threads' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomthreads', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-mastodon' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-mastodon' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcommastodon', 'menubar=1,resizable=1,width=460,height=400' ); return false; } } ); } )(); </script>   <div id="cookie-notice" role="dialog" class="cookie-notice-hidden cookie-revoke-hidden cn-position-bottom" aria-label="Cookie Notice" style="background-color: rgba(50,50,58,1);"><div class="cookie-notice-container" style="color: #fff"><span id="cn-notice-text" class="cn-text-container">We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.</span><span id="cn-notice-buttons" class="cn-buttons-container"><button id="cn-accept-cookie" data-cookie-set="accept" class="cn-set-cookie cn-button" aria-label="Ok" style="background-color: #00a99d">Ok</button><button data-link-url="https://security.nuyts.tech/terms-of-use/privacy-policy/" data-link-target="_blank" id="cn-more-info" class="cn-more-info cn-button" aria-label="Privacy policy" style="background-color: #00a99d">Privacy policy</button></span><span id="cn-close-notice" data-cookie-set="accept" class="cn-close-icon" title="No"></span></div> </div> </body> </html>