WeasyPrint Vulnerable to Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
Description
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's default_url_fetcher. The vulnerability allows attackers to access internal network resources (such as localhost services or cloud metadata endpoints) even when a developer has implemented a custom url_fetcher to block such access. This occurs because the underlying urllib library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weasyprintPyPI | < 68.0 | 68.0 |
Affected products
4- Range: v0.1, v0.10, v0.11, …
- ghsa-coords3 versionspkg:pypi/weasyprintpkg:rpm/opensuse/python-weasyprint&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-weasyprint&distro=openSUSE%20Tumbleweed
< 68.0+ 2 more
- (no CPE)range: < 68.0
- (no CPE)range: < 65.1-bp160.2.1
- (no CPE)range: < 68.0-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-983w-rhvv-gwmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68616ghsaADVISORY
- github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565ghsax_refsource_MISCWEB
- github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.