Kakarotsec

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions 8.31.0 and earlier **Description** A Server-Side Request Forgery (SSRF) issue exists in the LibreOffice conversion endpoint "/forms/libreoffice/convert". While some SSRF hardening is present in the Go code, the application passes uploaded documents directly to LibreOffice without inspecting their content. Because LibreOffice is a separate process that manages its own HTTP connections via libcurl, it bypasses the Go-level filters. An attacker can use OOXML formats (such as `.docx`, `.docm`, `.xlsx`, `.xlsm`, `.pptx`, `.pptm`, `.odt`, `.ods`, `.odp`, or `.rtf`) containing embedded external image references with `TargetMode="External"` to force the server to make outbound HTTP requests. This can be used to access internal services, retrieve cloud metadata from `http://169.254.169.254/`, or perform internal network port scanning. **Recommendations** Run LibreOffice with `unshare --net` to remove all network access from the subprocess. Scan uploaded OOXML files for ` rels/*.rels` entries containing `TargetMode="External"` and validate or strip those URLs before processing the file with LibreOffice.