StartedApr 13, 2026, 5:30 PM
EndedApr 13, 2026, 5:32 PM
Casecase_6d07dfd19034471ba2ff439ed0a89a89
Modelopenai/gpt-5.4
Context
Blind label
blind_4756db61556f
Advisory
GHSA-fmwg-qcqh-m992 • Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Judge score
93 (excellent)
Rubric breakdown
Target Alignment
27
Source To Sink Reasoning
29
Impact And Exploitability
19
Evidence Quality
8
Overclaim Control
10
Prompt624 chars
This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from `pkg/modules/chromium/routes.go` and trace how user-controlled `extraHttpHeaders` input reaches the `scope` regex handling in `FormDataChromiumOptions`. Show, with grounded code evidence, that the vulnerable commit compiles a user-supplied `regexp2` pattern without a `MatchTimeout`, and explain why that creates a ReDoS / worker-hang condition for Chromium form endpoints such as `/forms/chromium/screenshot/url`. Avoid speculative impact beyond denial of service.
OutputJSON
{
"executiveSummary": "The Chromium form handlers accept user-controlled `extraHttpHeaders` JSON, parse `scope=...` tokens from header values, and compile those scope strings into `*regexp2.Regexp` objects in `FormDataChromiumOptions`. The compiled regex is stored without any `MatchTimeout` being set, and later evaluated against each request URL during Chromium request interception. Because `regexp2` supports backtracking and no timeout is configured, a malicious scope pattern can cause catastrophic backtracking and hang a worker handling Chromium form endpoints such as `/forms/chromium/screenshot/url`, resulting in denial of service.",
"reports": [
{
"title": "User-supplied `extraHttpHeaders` scope regex compiled with `regexp2` and used without `MatchTimeout`, enabling ReDoS / worker hang in Chromium form endpoints",
"severity": "HIGH",
"summary": "`FormDataChromiumOptions` reads the user-provided `extraHttpHeaders` form field, extracts `scope=...` from header values, and compiles that scope with `regexp2.Compile(scope, regexp2.None)`. The resulting regex is stored in `ExtraHttpHeader.Scope` and later executed via `header.Scope.MatchString(e.Request.URL)` for intercepted Chromium requests. No `MatchTimeout` is set on the compiled regexp before use. A crafted backtracking-heavy scope pattern can therefore hang matching and block the worker servicing endpoints like `/forms/chromium/screenshot/url`.",
"rootCauseAnalysis": "The root cause is direct compilation of attacker-controlled regex input with the backtracking `regexp2` engine and no execution timeout. In `pkg/modules/chromium/routes.go`, the `extraHttpHeaders` custom form parser unmarshals a JSON map supplied by the client, extracts a `scope` token from each header value, and calls `regexp2.Compile(scope, regexp2.None)`. The compiled object is assigned to `ExtraHttpHeader.Scope`. In `pkg/modules/chromium/events.go`, that scope is evaluated with `MatchString` against request URLs to decide whether a header applies. Since the code never sets `scopeRegexp.MatchTimeout`, matching time is unbounded.",
"impact": "An attacker who can submit Chromium form requests can provide a malicious `extraHttpHeaders` scope regex that triggers catastrophic backtracking during URL matching. This can hang or significantly stall the worker processing the request, causing denial of service for the affected Chromium form endpoint. The grounded impact supported by the code is worker hang / request-processing DoS; no broader impact is claimed.",
"attackPath": "1. Send a multipart POST request to a Chromium form endpoint such as `/forms/chromium/screenshot/url`.\n2. Supply the `extraHttpHeaders` form field as JSON, with a header value containing `scope=<attacker regex>`.\n3. `FormDataChromiumScreenshotOptions` calls `FormDataChromiumOptions`, which unmarshals `extraHttpHeaders`, extracts the scope string, and compiles it with `regexp2.Compile`.\n4. During Chromium request inteTool calls
(11)$
sed -n '1,260p' /workspace/pkg/modules/chromium/routes.go && printf '\n---\n' && rg -n "extraHttpHeaders|FormDataChromiumOptions|regexp2|MatchTimeout|scope" /workspace/pkg/modules/chromium /workspace/pkg/modules -Sexit 124(no output)
$
sed -n '1,240p' /workspace/pkg/modules/chromium/routes.gopackage chromium import ( "bytes" "encoding/json" "errors" "fmt" "html/template" "net/http" "os" "path/filepath" "strconv"
$
rg -n "extraHttpHeaders|FormDataChromiumOptions|regexp2|MatchTimeout|scope" /workspace/pkg/modules/chromium /workspace/pkg/modulesexit 124(no output)
$
sed -n '240,420p' /workspace/pkg/modules/chromium/routes.go return fmt.Errorf("unmarshal emulatedMediaFeatures: %w", err)
}
for k, v := range features {
emulatedMediaFeatures = append(emulatedMediaFeatures, EmulatedMediaFeature{
Name: k,
Value: v,
})
}
return err
}).$
rg -n "type ExtraHttpHeader|Scope \*regexp2|ExtraHttpHeaders|FormDataChromiumOptions\(|/forms/chromium/screenshot/url|screenshot/url|extraHttpHeaders" /workspace/pkg/modules/chromium /workspace/pkg/modules/api/workspace/pkg/modules/api/context.go:87: // ExtraHttpHeaders are the HTTP headers to send alongside.
/workspace/pkg/modules/api/context.go:88: ExtraHttpHeaders map[string]string `json:"extraHttpHeaders"`
/workspace/pkg/modules/api/context.go:256: for key, value := range dl.ExtraHttpHeaders {
/workspace/pkg/modules/chromium/browser.go:362: extraHttpHeaders: options.ExtraHttpHeaders,
/workspace/pkg/modules/chromium/chromium.go:176: // ExtraHttpHeaders are extra HTTP headers to send by Chromium while
/workspace/pkg/modules/chromium/chromium.go:178: ExtraHttpHeaders []ExtraHttpHeader
/workspace/pkg/modules/chromium/chromium.go:228: ExtraHttpHeaders: nil,
/workspace/pkg/modules/chromium/chromium.go:398:type ExtraHttpHeader struct {
/workspace/pkg/modules/chromium/chromium.go:410: Scope *regexp2.Regexp
/workspace/pkg/modules/chromium/events.go:29: extraHttpHeaders []ExtraHttpHeader
/workspace/pkg/modules/chromium/events.go:37: if len(options.extraHttpHeaders) == 0 {
/workspace/pkg/modules/chromium/events.go:40: logger.DebugContext(ctx, fmt.Sprintf("extra HTTP headers: %+v", options.extraHttpHeaders))$
sed -n '388,420p' /workspace/pkg/modules/chromium/chromium.go // HttpOnly sets the cookie as HTTP-only if true.
// Optional.
HttpOnly bool `json:"httpOnly,omitempty"`
// SameSite is cookie 'Same-Site' status.
// Optional.
SameSite network.CookieSameSite `json:"sameSite,omitempty"`
}
// ExtraHttpHeader are extra HTTP headers to send by Chromium.
type ExtraHttpHeader struct {
// Name is the header name.$
sed -n '80,160p' /workspace/pkg/modules/chromium/events.go cctx := chromedp.FromContext(ctx)
executorCtx := cdp.WithExecutor(ctx, cctx.Target)
if !allow {
req := fetch.FailRequest(e.RequestID, network.ErrorReasonAccessDenied)
err = req.Do(executorCtx)
if err != nil {
logger.ErrorContext(ctx, fmt.Sprintf("fail request: %s", err))
}
return
}
$
sed -n '440,500p' /workspace/pkg/modules/chromium/routes.go if err != nil {
return fmt.Errorf("convert URL to PDF: %w", err)
}
return nil
},
}
}
// screenshotUrlRoute returns an [api.Route] which can take a screenshot from a
// URL.
func screenshotUrlRoute(chromium Api) api.Route {$
rg -n "MatchTimeout" /workspace && printf '\n---\n' && rg -n "regexp2\.Compile\(|MustCompile\(" /workspace/pkg/modules/chromium /workspace/pkg/modules | head -n 50exit 124(no output)
$
rg -n "MatchTimeout" /workspaceexit 124(no output)
$
rg -n "regexp2\.Compile\(|MustCompile\(" /workspace/pkg/modules/chromium /workspace/pkg/modules | head -n 50exit 124(no output)