fineman999/POC_CVE-2026-42589

# POC_CVE-2026-42589 Local reproduction lab and nuclei template draft for `CVE-2026-42589` affecting Gotenberg. ## Summary `CVE-2026-42589` is an unauthenticated remote code execution issue in Gotenberg caused by metadata key newline injection in: POST /forms/pdfengines/metadata/write Affected Gotenberg forwards user-controlled metadata keys to ExifTool without rejecting control characters. A metadata key containing JSON-escaped newlines may be split into additional ExifTool arguments. This lab was used to validate: - vulnerable behavior on `gotenberg/gotenberg:8.29.1` - patched behavior on `gotenberg/gotenberg:8.31.0` The nuclei template uses only a non-destructive `sleep 6` timing check. ## References - GitHub Advisory: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-rqgh-gxv4-6657 - Fixed release: https://github.com/gotenberg/gotenberg/releases/tag/v8.31.0 - ExifTool docs: https://exiftool.org/exiftool_pod.html ## Files - `docker-compose.yml` - `docker-compose.latest.yml` - `CVE-2026-42589.yaml` - `manual_verify.py` - `sample.pdf` - `README.md` ## Vulnerable Test Start Gotenberg `8.29.1`: docker compose down -v docker compose up -d docker compose logs --tail=100 gotenberg Check the version: curl -s http://127.0.0.1:3000/version Manual raw multipart timing check: python3 manual_verify.py http://127.0.0.1:3000 Expected vulnerable signal: HTTP/1.1 500 Internal Server Error TOTAL_TIME=6.xs Observed vulnerable result: HTTP/1.1 500 Internal Server Error TOTAL_TIME=6.300s Internal Server Error ## Patched-Version Control Start Gotenberg `8.31.0`: docker compose -f docker-compose.latest.yml down -v docker compose -f docker-compose.latest.yml up -d docker compose -f docker-compose.latest.yml logs --tail=100 gotenberg Check the version: curl -s http://127.0.0.1:3000/version Run the same manual timing check: python3 manual_verify.py http://127.0.0.1:3000 Observed patched-version result: HTTP/1.1 400 Bad Request TOTAL_TIME=0.145s At least one PDF engine cannot process the requested metadata, while others may have failed to convert due to different issues ## Nuclei Validate the template: nuclei -duc -validate -t CVE-2026-42589.yaml Run against the vulnerable target: nuclei -duc -u http://127.0.0.1:3000 -t CVE-2026-42589.yaml Expected behavior: - `8.29.1`: match after the delayed `500` response - `8.31.0`: no match Observed vulnerable result: [CVE-2026-42589] [http] [critical] http://127.0.0.1:3000/forms/pdfengines/metadata/write [INF] Scan completed in 6.245907708s. 1 matches found. Observed patched-version result: [INF] Scan completed in 93.01425ms. No results found. ## Notes - This lab intentionally avoids file writes, reverse shells, and out-of-band callbacks. - The template detects behavior, not only a version banner. - No real-world targets were used. - Use only on systems you own or are explicitly authorized to test.