PyPI: weasyprint
CVE-2025-68616
Safety vulnerability ID: SFTY-20260120-06263
Safety legacy ID: pyup.io-84841
Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.
Overview
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
Advisory
Affected versions of the weasyprint package are vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of redirect destinations in the URL fetching mechanism. The default_url_fetcher function in weasyprint/urls.py relies on Python's urllib.request.urlopen, which automatically follows HTTP redirects (301, 302, 307) without re-invoking the developer's custom url_fetcher validation logic, creating a Time-of-Check to Time-of-Use (TOCTOU) condition. An attacker can supply an external URL that passes initial security checks but redirects to internal network resources such as localhost services or cloud metadata endpoints, enabling exfiltration of sensitive data, including instance credentials.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260120-06263/CVE-2025-68616
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68616
- https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
- https://github.com/advisories/GHSA-983w-rhvv-gwmv
- https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
- https://nvd.nist.gov/vuln/detail/CVE-2025-68616
- https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
- https://github.com/advisories/GHSA-983w-rhvv-gwmv
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more