{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35458", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-07T14:24:21.651Z", "dateUpdated": "2026-04-07T14:24:21.651Z"}, "containers": {"cna": {"title": "Gotenberg has a ReDoS via extraHttpHeaders scope feature", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992"}], "affected": [{"vendor": "gotenberg", "product": "gotenberg", "versions": [{"version": "<= 8.29.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:24:21.651Z"}, "descriptions": [{"lang": "en", "value": "Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely."}], "source": {"advisory": "GHSA-fmwg-qcqh-m992", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely."}], "id": "CVE-2026-35458", "lastModified": "2026-04-08T21:27:15.610", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:43.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.29.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "gotenberg", "source": "cna", "vendor": "gotenberg"}, "product": "gotenberg", "vendor": "gotenberg"}], "analysis": {"en": {"generated_at": "2026-04-07T19:53:34.877976+00:00", "value": {"mitigation_remediation": ["Upgrade Gotenberg to a version later than 8.29.1 that includes the regex timeout fix", "Restrict or sanitize user\u2011supplied scope patterns, ensuring only trusted inputs are processed", "Monitor worker CPU usage and response times to detect potential ReDoS attempts", "If upgrade is not immediately possible, temporarily disable features that accept custom scope patterns until a patch is applied"], "summary": {"action": "Patch Immediately", "impact": "Service Denial via ReDoS"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Gotenberg, the open\u2011source API for document conversion, in releases 8.29.1 and all prior versions. Users who have permission to submit custom scope patterns through the API are potentially exposed.", "description_and_impact": "Gotenberg versions 8.29.1 and earlier compile user\u2011supplied scope patterns with the dlclark/regexp2 library without imposing a timeout. The patterns trigger catastrophic backtracking, consuming excessive CPU resources and causing the worker process to hang. This denial\u2011of\u2011service behavior can make the entire document\u2011conversion service unavailable while the worker remains blocked.", "risk_and_exploitability": "The CVSS score of 8.7 categorizes this issue as High severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers do not need elevated privileges beyond those needed to submit API requests with custom scope patterns. A user who can provide such patterns can intentionally cause the worker to hang, leading to service unavailability for all consumers of the API. Because the exploit requires only normal API usage, the risk of exploitation is significant."}}}}, "created": "2026-04-08T19:37:31.888122+00:00", "updated": "2026-04-08T19:49:00.285663+00:00", "vendors": ["gotenberg", "gotenberg$PRODUCT$gotenberg"]}