Platform
python
Component
weasyprint
Fixed in
68.0.1
68.0
A Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2025-68616) has been identified in WeasyPrint versions up to 67.0. This flaw allows attackers to bypass custom URL fetcher security policies and access internal network resources, potentially leading to unauthorized data access and system compromise. The vulnerability stems from WeasyPrint's default URL fetching mechanism, which automatically follows HTTP redirects without re-validating the destination. A fix is available in WeasyPrint 68.0.
The SSRF bypass in WeasyPrint allows attackers to craft malicious requests that are internally routed by the application. Even if a developer has implemented a custom url_fetcher to block access to specific URLs or domains, this vulnerability allows attackers to bypass that protection by leveraging HTTP redirects. This can enable access to sensitive internal services running on localhost, such as databases, administration panels, or cloud metadata endpoints (e.g., AWS instance metadata). Successful exploitation could lead to data exfiltration, privilege escalation, and potentially complete system compromise. The impact is particularly severe in environments where WeasyPrint is used to generate documents from untrusted sources, as an attacker could inject malicious URLs into the document, triggering the SSRF vulnerability during document processing.
CVE-2025-68616 was publicly disclosed on 2026-01-20. There is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-68616 is to upgrade to WeasyPrint version 68.0 or later, which addresses the underlying HTTP redirect handling issue. If upgrading is not immediately feasible, consider implementing stricter network segmentation to limit the potential blast radius of a successful SSRF attack. Additionally, carefully review and validate all URLs used by WeasyPrint, especially those originating from untrusted sources. While not a complete solution, implementing a Web Application Firewall (WAF) with SSRF protection rules can provide an additional layer of defense. Monitor WeasyPrint logs for unusual outbound requests to internal or unexpected external resources.
Update WeasyPrint to version 68.0 or higher. This corrects the SSRF vulnerability by preventing protection bypass via HTTP redirects. The update can be performed using the Python package manager, pip, by running the command `pip install --upgrade weasyprint`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-68616 is a vulnerability in WeasyPrint versions up to 67.0 that allows attackers to bypass custom URL fetchers and access internal network resources through an SSRF bypass.
You are affected if you are using WeasyPrint versions 67.0 or earlier. Upgrade to version 68.0 to resolve the vulnerability.
Upgrade WeasyPrint to version 68.0 or later. If immediate upgrade is not possible, implement stricter network segmentation and WAF rules.
There is currently no evidence of CVE-2025-68616 being actively exploited in the wild, but the vulnerability poses a significant risk if left unaddressed.
Refer to the WeasyPrint project's security advisories and release notes for the official announcement and details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.