WeasyPrint Vulnerable to Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
Description
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's default_url_fetcher. The vulnerability allows attackers to access internal network resources (such as localhost services or cloud metadata endpoints) even when a developer has implemented a custom url_fetcher to block such access. This occurs because the underlying urllib library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
weasyprintPyPI | < 68.0 | 68.0 |
Affected products
1- Range: v0.1, v0.10, v0.11, …
Patches
1b6a14f0f3f4cMerge remote-tracking branch 'security/filter-redirections'
2 files changed · +15 −2
docs/changelog.rst+10 −0 modified@@ -7,6 +7,16 @@ Version 68.0 Released on 2026-01-19. +**This is a security update (CVE-2025-68616).** + +We strongly recommend to upgrade WeasyPrint to the latest version if you use the +``default_url_fetcher`` function in your custom URL fetcher, or if you use the +``allowed_protocols`` parameter of the ``default_url_fetcher`` function. + +Security: + +- Always use URL fetcher for HTTP redirects + Python API: * ``default_url_fetcher()`` is deprecated, use the new ``URLFetcher`` class instead, see
weasyprint/urls.py+5 −2 modified@@ -198,9 +198,12 @@ def default_url_fetcher(url, timeout=10, ssl_context=None, http_headers=None, """ warnings.warn( "default_url_fetcher is deprecated and will be removed in WeasyPrint 69.0, " - "please use URLFetcher instead.", + "please use URLFetcher instead. For security reasons, HTTP redirects are not " + "supported anymore with default_url_fetcher, but are with URLFetcher.\n\nSee " + "https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#url-fetchers", category=DeprecationWarning) - fetcher = URLFetcher(timeout, ssl_context, http_headers, allowed_protocols) + fetcher = URLFetcher( + timeout, ssl_context, http_headers, allowed_protocols, allow_redirects=False) return fetcher.fetch(url)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-983w-rhvv-gwmvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68616ghsaADVISORY
- github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565ghsax_refsource_MISCWEB
- github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.