Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control chara…

Gotenberg, a Docker-powered stateless API for PDF files, contains a vulnerability in versions 8.30.1 and earlier where the metadata write endpoint validates metadata keys but leaves values unsanitized. An attacker can inject newline characters in metadata values to split ExifTool stdin lines and inject arbitrary pseudo-tags like -FileName, -Directory, -SymLink, and -HardLink. This bypasses the incomplete key-sanitization fix from v8.30.1. Unauthenticated attackers can rename, move, or overwrite arbitrary files in the container filesystem and create symlinks or hard links at arbitrary paths.