Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68616

CVE-2025-68616: Kozea WeasyPrint SSRF Bypass Vulnerability

CVE-2025-68616 is an SSRF protection bypass flaw in Kozea WeasyPrint that allows attackers to access internal network resources by exploiting automatic HTTP redirect handling in the default URL fetcher. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-68616 Overview

CVE-2025-68616 is a Server-Side Request Forgery (SSRF) protection bypass in WeasyPrint, a Python library used to generate PDF documents from HTML and CSS. Versions prior to 68.0 contain a flaw in the default_url_fetcher function that allows attackers to access internal network resources even when developers implemented custom URL fetchers to block such access. The underlying urllib library follows HTTP redirects automatically without re-validating new destinations against the developer's security policy. Attackers can exploit this to reach localhost services, cloud metadata endpoints, and other internal infrastructure. Version 68.0 contains the patch.

Critical Impact

Attackers can bypass SSRF protections to access cloud metadata services (such as AWS IMDS at 169.254.169.254) and internal network resources, potentially leading to credential theft and lateral movement.

Affected Products

  • Kozea WeasyPrint versions prior to 68.0
  • Python applications using default_url_fetcher
  • Applications using the allowed_protocols parameter of default_url_fetcher

Discovery Timeline

  • 2026-01-19 - WeasyPrint 68.0 released with security patch
  • 2026-01-19 - CVE-2025-68616 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-68616

Vulnerability Analysis

WeasyPrint fetches external resources such as images, stylesheets, and fonts when rendering HTML to PDF. Developers can supply a custom url_fetcher to enforce SSRF protections by validating destination URLs against an allowlist or blocking access to internal IP ranges. The vulnerability stems from how WeasyPrint delegates HTTP requests to Python's urllib library, which transparently follows HTTP 3xx redirects. The custom fetcher only validates the initial URL. Any redirect target receives no validation, allowing an attacker who controls an allowed external server to redirect requests toward internal resources.

This flaw is categorized as both Server-Side Request Forgery [CWE-918] and URL Redirection to Untrusted Site [CWE-601].

Root Cause

The default_url_fetcher function delegated to urllib with redirect following enabled by default. The security policy executed only against the originating URL. When urllib received a 3xx response, it issued a follow-up request to the Location header value without invoking the developer's validation logic again.

Attack Vector

An attacker submits HTML containing a reference (such as an <img> tag) pointing to an attacker-controlled server on an allowed domain. The server responds with an HTTP 302 redirect to an internal target such as http://169.254.169.254/latest/meta-data/ or http://localhost:8080/admin. WeasyPrint follows the redirect server-side and may embed the response data in the generated PDF, exposing internal content to the attacker.

python
# Security patch in weasyprint/urls.py
# Source: https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565

warnings.warn(
    "default_url_fetcher is deprecated and will be removed in WeasyPrint 69.0, "
    "please use URLFetcher instead. For security reasons, HTTP redirects are not "
    "supported anymore with default_url_fetcher, but are with URLFetcher.\n\nSee "
    "https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#url-fetchers",
    category=DeprecationWarning)
fetcher = URLFetcher(
    timeout, ssl_context, http_headers, allowed_protocols, allow_redirects=False)
return fetcher.fetch(url)

The patch disables redirect following in default_url_fetcher by passing allow_redirects=False to the new URLFetcher class.

Detection Methods for CVE-2025-68616

Indicators of Compromise

  • Outbound HTTP requests from WeasyPrint processes to internal IP ranges (RFC1918, 127.0.0.0/8, 169.254.0.0/16)
  • HTTP 3xx responses logged from external services followed by requests to cloud metadata endpoints
  • Unexpected PDF generation jobs containing rendered content from internal services
  • Application logs showing default_url_fetcher calls with unusual host targets

Detection Strategies

  • Inspect application dependency manifests (requirements.txt, pyproject.toml, Pipfile.lock) for weasyprint versions below 68.0
  • Audit codebases for use of default_url_fetcher and custom url_fetcher callbacks that rely on initial URL validation
  • Monitor egress traffic from PDF-rendering services for connections to 169.254.169.254, localhost, and internal subnets
  • Review reverse proxy and WAF logs for HTML payloads referencing attacker-controlled redirect endpoints

Monitoring Recommendations

  • Enable network-level egress filtering on PDF rendering hosts to block access to metadata services and internal IPs
  • Log all outbound HTTP requests initiated by WeasyPrint processes including final URLs after redirects
  • Alert on cloud audit logs (AWS CloudTrail, Azure Activity Logs) showing unexpected use of instance metadata credentials
  • Track WeasyPrint version inventory across application portfolios using software composition analysis tools

How to Mitigate CVE-2025-68616

Immediate Actions Required

  • Upgrade WeasyPrint to version 68.0 or later in all affected applications
  • Migrate from default_url_fetcher to the new URLFetcher class as recommended in the patch notes
  • Audit existing custom url_fetcher implementations to ensure they handle redirects explicitly
  • Restrict outbound network access from PDF rendering workloads using firewall rules or network policies

Patch Information

The fix is available in WeasyPrint 68.0, released on 2026-01-19. The patch disables HTTP redirect following in default_url_fetcher by initializing the new URLFetcher with allow_redirects=False. See the GitHub Security Advisory GHSA-983w-rhvv-gwmv and the upstream commit for technical details. Note that default_url_fetcher is deprecated and will be removed in WeasyPrint 69.0.

Workarounds

  • Block all outbound traffic from WeasyPrint processes to cloud metadata services (169.254.169.254, fd00:ec2::254) at the network layer
  • Run WeasyPrint inside a restricted network namespace or container with no route to internal subnets
  • Enforce IMDSv2 with session tokens on AWS workloads to mitigate metadata credential theft
  • Implement an HTTP proxy that performs URL validation on every request including redirect targets
bash
# Configuration example: Upgrade WeasyPrint and verify version
pip install --upgrade 'weasyprint>=68.0'
python -c "import weasyprint; print(weasyprint.__version__)"

# Example AWS security group rule blocking metadata access from rendering hosts
aws ec2 authorize-security-group-egress \
  --group-id sg-xxxxxxxx \
  --ip-permissions 'IpProtocol=-1,IpRanges=[{CidrIp=169.254.169.254/32,Description="Block IMDS"}]' \
  --rule-action deny

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne