Plattform
python
Komponente
weasyprint
Behoben in
68.0.1
68.0
A Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2025-68616) has been identified in WeasyPrint versions up to 67.0. This flaw allows attackers to bypass custom URL fetcher security policies and access internal network resources, potentially leading to unauthorized data access and system compromise. The vulnerability stems from WeasyPrint's default URL fetching mechanism, which automatically follows HTTP redirects without re-validating the destination. A fix is available in WeasyPrint 68.0.
The SSRF bypass in WeasyPrint allows attackers to craft malicious requests that are internally routed by the application. Even if a developer has implemented a custom url_fetcher to block access to specific URLs or domains, this vulnerability allows attackers to bypass that protection by leveraging HTTP redirects. This can enable access to sensitive internal services running on localhost, such as databases, administration panels, or cloud metadata endpoints (e.g., AWS instance metadata). Successful exploitation could lead to data exfiltration, privilege escalation, and potentially complete system compromise. The impact is particularly severe in environments where WeasyPrint is used to generate documents from untrusted sources, as an attacker could inject malicious URLs into the document, triggering the SSRF vulnerability during document processing.
CVE-2025-68616 was publicly disclosed on 2026-01-20. There is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Organizations using WeasyPrint to generate documents from untrusted sources are particularly at risk. This includes applications that process user-supplied URLs or data that is subsequently used in document generation. Shared hosting environments where multiple applications share the same WeasyPrint instance are also vulnerable, as a compromise in one application could potentially be leveraged to exploit this SSRF vulnerability in others.
• python / server:
import requests
from urllib.parse import urlparse
def check_redirects(url):
try:
response = requests.get(url, allow_redirects=True)
parsed_url = urlparse(response.url)
if parsed_url.netloc != urlparse(url).netloc:
print(f"Potential SSRF bypass detected: URL redirected to {response.url}")
except requests.exceptions.RequestException as e:
print(f"Error checking URL: {e}")
# Example usage (replace with WeasyPrint-related URLs)
check_redirects("http://localhost:8000/internal")• generic web:
curl -I 'http://your-weasyprint-server/some/url' | grep 'Location:'disclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-68616 is to upgrade to WeasyPrint version 68.0 or later, which addresses the underlying HTTP redirect handling issue. If upgrading is not immediately feasible, consider implementing stricter network segmentation to limit the potential blast radius of a successful SSRF attack. Additionally, carefully review and validate all URLs used by WeasyPrint, especially those originating from untrusted sources. While not a complete solution, implementing a Web Application Firewall (WAF) with SSRF protection rules can provide an additional layer of defense. Monitor WeasyPrint logs for unusual outbound requests to internal or unexpected external resources.
Aktualisieren Sie WeasyPrint auf Version 68.0 oder höher. Dies behebt die SSRF-Vulnerabilität, indem der Schutz-Bypass über HTTP-Redirects verhindert wird. Die Aktualisierung kann mit dem Python-Paketmanager, pip, durchgeführt werden, indem der Befehl `pip install --upgrade weasyprint` ausgeführt wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68616 is a vulnerability in WeasyPrint versions up to 67.0 that allows attackers to bypass custom URL fetchers and access internal network resources through an SSRF bypass.
You are affected if you are using WeasyPrint versions 67.0 or earlier. Upgrade to version 68.0 to resolve the vulnerability.
Upgrade WeasyPrint to version 68.0 or later. If immediate upgrade is not possible, implement stricter network segmentation and WAF rules.
There is currently no evidence of CVE-2025-68616 being actively exploited in the wild, but the vulnerability poses a significant risk if left unaddressed.
Refer to the WeasyPrint project's security advisories and release notes for the official announcement and details regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.