A critical command injection vulnerability in Gotenberg allows an unauthenticated attacker to execute arbitrary OS commands through a single HTTP request.

The application insecurely passes JSON metadata keys to ExifTool, allowing an attacker to inject newline characters and arbitrary flags, such as -if for Perl expression evaluation.

Successful exploitation results in full unauthenticated remote code execution, granting the attacker control over the container and potentially the underlying host. With a CVSS score of 9.8, this flaw represents an immediate and extreme threat to any production environment running this service.

Immediate Action: Upgrade the Gotenberg Docker image to version 8.31.0 or higher immediately.

Proactive Monitoring: Inspect web server logs for HTTP requests containing unexpected characters in JSON keys or suspicious command-line flag patterns.

Compensating Controls: Deploy a WAF with rules configured to block malicious input containing newline characters or suspicious command flags intended for ExifTool.

Public Exploit Available: No

The ease of exploitation and high severity of this command injection vulnerability require immediate remediation. Organizations should update their Docker deployments immediately to prevent unauthenticated access and potential system takeover.