High severityNVD Advisory· Published Mar 9, 2024· Updated Feb 13, 2025
WeasyPrint allows the attachment of arbitrary files and URLs to a PDF
CVE-2024-28184
Description
WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weasyprintPyPI | >= 61.0, < 61.2 | 61.2 |
Affected products
1- Range: >= 61.0, <= 61.1
Patches
1734ee8e2dc84Use document’s url_fetcher for attachments
3 files changed · +8 −3
weasyprint/html.py+3 −1 modified@@ -281,7 +281,9 @@ def get_html_metadata(html): if url is None: LOGGER.error('Missing href in <link rel="attachment">') else: - attachment = Attachment(url=url, description=attachment_title) + attachment = Attachment( + url=url, description=attachment_title, + url_fetcher=html.url_fetcher) attachments.append(attachment) return { 'title': title,
weasyprint/pdf/anchors.py+3 −1 modified@@ -252,8 +252,10 @@ def add_annotations(links, matrix, document, pdf, page, annot_files, compress): # TODO: Use the title attribute as description. The comment # above about multiple regions won't always be correct, because # two links might have the same href, but different titles. + attachment = Attachment( + url=annot_target, url_fetcher=document.url_fetcher) annot_files[annot_target] = write_pdf_attachment( - pdf, Attachment(annot_target), compress) + pdf, attachment, compress) annot_file = annot_files[annot_target] if annot_file is None: continue
weasyprint/pdf/__init__.py+2 −1 modified@@ -249,7 +249,8 @@ def generate_pdf(document, target, zoom, **options): if options['attachments']: for attachment in options['attachments']: if not isinstance(attachment, Attachment): - attachment = Attachment(attachment) + attachment = Attachment( + attachment, url_fetcher=document.url_fetcher) attachments.append(attachment) pdf_attachments = [] for attachment in attachments:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-35jj-wx47-4w8rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28184ghsaADVISORY
- github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598ghsax_refsource_MISCWEB
- github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8rghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/mitre
News mentions
0No linked articles in our index yet.