CVE-2025-68616
Description
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2025-68616 NameCVE-2025-68616 DescriptionWeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented aโฆ
CVE-2025-68616
| Name | CVE-2025-68616 |
| Description | WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1139189 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| weasyprint (PTS) | bullseye | 51-2 | vulnerable |
| bookworm | 57.2-1 | vulnerable | |
| trixie | 62.3-1 | vulnerable | |
| forky, sid | 67.0-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| weasyprint | source | (unstable) | (unfixed) | 1139189 |
Notes
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
Apply commands
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmvOS impact
Debian Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Affected | โ |
| forky | Affected | โ |
| bullseye | Affected | โ |
| bookworm | Affected | โ |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | weasyprint | <68.0 | 68.0 |
References
- https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
- https://nvd.nist.gov/vuln/detail/CVE-2025-68616
- https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
- https://github.com/Kozea/WeasyPrint
- https://www.suse.com/security/cve/CVE-2025-68616.html
- https://security-tracker.debian.org/tracker/CVE-2025-68616
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.