GHSA-qmwh-9m9c-h36m: Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags

April 7, 2026

The fix for ExifTool arbitrary file write (commit 043b158, released in v8.29.0) uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the HardLink and SymLink pseudo-tags entirely.

Confirmed end-to-end against Gotenberg v8.29.1 via the unauthenticated HTTP API.

References

github.com/advisories/GHSA-qmwh-9m9c-h36m
github.com/gotenberg/gotenberg
github.com/gotenberg/gotenberg/commit/15050a311b73d76d8b9223bafe7fa7ba71240011
github.com/gotenberg/gotenberg/security/advisories/GHSA-qmwh-9m9c-h36m

Code Behaviors & Features

Detect and mitigate GHSA-qmwh-9m9c-h36m with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →