CVE-2026-42594

HIGH 7.5

Gotenberg: Unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset() clears the store. If the webhook goroutine reaches hardTimeoutMiddleware at that moment, an unchecked type assertion on a nil store entry panics outside any recover() scope, crashing the Gotenberg process. Any anonymous caller reaches the webhook path (default webhook-deny-list filters only the webhook destination, not the submitter). A single-source stress of ~24 webhook requests plus ~60 GET /version requests crashes the process in about two seconds. This vulnerability is fixed in 8.32.0.

CWE	CWE-362
Vendor	gotenberg
Product	gotenberg
Published	May 14, 2026

Stay Ahead of the Next One

Get instant alerts for gotenberg gotenberg

Be the first to know when new high vulnerabilities affecting gotenberg gotenberg are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

gotenberg / gotenberg

< 8.32.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-r33j-c622-r6qp