CVE-2025-68616

NameCVE-2025-68616
DescriptionWeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139189

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
weasyprint (PTS)bullseye51-2vulnerable
bookworm57.2-1vulnerable
trixie62.3-1vulnerable
forky, sid69.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
weasyprintsource(unstable)69.0-11139189

Notes

[trixie] - weasyprint <no-dsa> (Minor issue)
[bookworm] - weasyprint <no-dsa> (Minor issue)
[bullseye] - weasyprint <postponed> (Minor issue)
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565 (v68.0)
Search for package or bug name: Reporting problems