Gotenberg

v8.33.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 5d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

api chrome chromium convert-to-pdf docker docx-to-pdf

+14 more

excel exiftool html-to-pdf libreoffice openoffice pdf pdf-converter pdftk puppeteer qpdf screenshots unoconv wkhtmltopdf word

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 5d

v8.33.0 adds two security mitigations: it blocks IPv6 prefixes that tunnel internal IPv4 addresses in IsPublicIP, and it strips backslash separators from filenames to prevent path traversal.

Why it matters: The release patches high‑severity (90) IPv6 prefix tunneling and medium‑severity (70) filename path‑traversal risks; operators should apply the update immediately if handling public IPs or user‑supplied file names.

Summary

AI summary

Updates Bug Fixes, Security Fixes ⚠️, and Chore across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Blocks IPv6 prefixes tunneling internal IPv4 in IsPublicIP. Blocks IPv6 prefixes tunneling internal IPv4 in IsPublicIP. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	High	Strips backslash separators from supplied filenames to prevent path traversal. Strips backslash separators from supplied filenames to prevent path traversal. Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds deviceScaleFactor field for controlling screenshot pixel density. Adds deviceScaleFactor field for controlling screenshot pixel density. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix
Bugfix	Medium	Stops pinning proxy on Chromium start failure to prevent port leaks. Stops pinning proxy on Chromium start failure to prevent port leaks. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Medium	Requires consecutive probe failures before marking supervised process unhealthy. Requires consecutive probe failures before marking supervised process unhealthy. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Low	Registers lifecycle listener before navigation to avoid missed events. Registers lifecycle listener before navigation to avoid missed events. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Low	Serializes result merging in downloadFrom to prevent concurrent map writes. Serializes result merging in downloadFrom to prevent concurrent map writes. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—
Bugfix	Low	Logs client cancellation errors at debug level instead of error. Logs client cancellation errors at debug level instead of error. Source: granite4.1:30b@2026-05-29-audit Confidence: low	—

Full changelog

Security Fixes ⚠️

Block IPv6 prefixes that tunnel to internal IPv4 in IsPublicIP. ::ffff:10.0.0.1, 2002:c0a8:: (6to4), and 2001::/32 (Teredo) embed an internal IPv4 destination inside an IPv6 address. IsPublicIP evaluated only the
outer IPv6 form, so --*-deny-private-ips filters let the embedded private IPv4 reach the dialer. The check now unwraps IPv4-mapped, IPv4-translated, 6to4, and Teredo addresses, and rejects them when the embedded IPv4 is
non-public.
Strip backslash separators from supplied filenames. Linux treated a caller-supplied Gotenberg-Output-Filename header or filename form field containing ..\ or foo\bar as a single segment. The handler now strips both
forward-slash and backslash path separators before composing the output path.

New Features

Device scale ratio for screenshots (#1543). A new deviceScaleFactor form field on /forms/chromium/screenshot/{html,url,markdown} controls the screenshot pixel density.
Defaults to 1. Thanks @hovcharenko.

Bug Fixes

Pinning proxy outlived a failed Chromium start. When chromedp failed to start (port conflict, container OOM, sandbox denial), the loopback HTTP/CONNECT pinning proxy added in 8.32.0 stayed bound to its port and leaked
across restart attempts. The browser now stops the pinning proxy on every start failure.
Lifecycle listener race on Navigate. chromedp.Navigate could fire Page.lifecycleEvent before Gotenberg's listener subscribed, so the converter occasionally waited the full network-idle timeout on otherwise fast pages.
Listeners now register before navigation.
Supervisor flapped on transient CDP latency. A single slow CDP health probe marked the supervised process unhealthy and triggered a restart, even when the next probe succeeded. Probes now require N consecutive failures
before reporting unhealthy.
downloadFrom concurrent map writes. Parallel downloadFrom entries merged results into a shared map without a lock. Under enough concurrency this raced and panicked the request goroutine. Result merging is now serialized.
Pinning-proxy noise on client cancellations. context canceled and connection reset by peer from the client side of the pinning proxy logged at error level, flooding logs whenever a caller aborted mid-render.
Client-cancelled dial errors now log at debug.

Chore

Updated Chromium to version 148.0.7778.178-1.
Updated Go dependencies.

Security Fixes

CVE‑TBD – Block IPv6 prefixes that tunnel to internal IPv4 in `IsPublicIP`
Strip backslash separators from supplied filenames to prevent path traversal

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Gotenberg

Get notified when new releases ship.

About Gotenberg

Developer-friendly API to interact with powerful tools like Chromium and LibreOffice for converting numerous document formats (HTML, Markdown, Word, Excel, etc.) into PDF files, and more.

All releases →