CVE-2025-68616
Server-Side Request Forgery (SSRF) Protection Bypass vulnerability in weasyprint (PyPI)
What is CVE-2025-68616 About?
This vulnerability in WeasyPrint's `default_url_fetcher` allows attackers to bypass intended SSRF protections, enabling access to internal network resources. The impact includes internal network reconnaissance and cloud metadata exfiltration. Exploitation is relatively straightforward due to `urllib`'s automatic redirect following, which circumvents developer-defined security policies.
Affected Software
Technical Details
WeasyPrint's default_url_fetcher utilizes Python's urllib.request.urlopen for URL fetching. While developers can implement custom url_fetcher functions to validate URLs (e.g., block internal hostnames), urllib automatically follows HTTP redirects (status codes 301, 302, 307) without re-invoking the custom validation logic for the redirected URL. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. An attacker provides an initial URL that passes the developer's security checks (Check phase), but this URL then redirects to a forbidden internal resource (Use phase), bypassing the blocklist. For example, a developer might block 'localhost', but an attacker can provide an IP address like '127.0.0.1' (which passes the string-based check) that then redirects to 'http://localhost:5000/secret', allowing access to the internal service.
What is the Impact of CVE-2025-68616?
Successful exploitation may allow attackers to perform internal network reconnaissance, access services on the loopback interface, and exfiltrate sensitive data such as cloud metadata. This can lead to further attacks, including credential theft and privilege escalation within cloud environments, and renders an application's SSRF protective measures ineffective.
What is the Exploitability of CVE-2025-68616?
Exploitation is of low to moderate complexity. The attacker needs to craft a URL that initially bypasses the application's URL validation logic and then redirects to the target internal resource. This can often be achieved by using IP addresses instead of blacklisted hostnames, or by leveraging other subtle bypasses in the initial validation. No authentication or elevated privileges are required, as the vulnerability resides in how the application processes external URLs. The attack is remote, as it involves supplying a malicious URL to the vulnerable application. A prerequisite is that the application uses WeasyPrint to render user-supplied HTML/CSS and that the developer has implemented a custom url_fetcher that expects to validate URLs only once, before redirects. The primary risk factor is the common pattern of URL validation that doesn't account for automatic redirect following by underlying HTTP client libraries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-68616?
Available Upgrade Options
- weasyprint
- <68.0 → Upgrade to 68.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
- https://osv.dev/vulnerability/GHSA-983w-rhvv-gwmv
- https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
- https://github.com/Kozea/WeasyPrint
- https://nvd.nist.gov/vuln/detail/CVE-2025-68616
- https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
- https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
What are Similar Vulnerabilities to CVE-2025-68616?
Similar Vulnerabilities: CVE-2021-29938 , CVE-2021-23382 , CVE-2021-32640 , CVE-2020-15945 , CVE-2023-28445
