PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-68616 Kozea CVE debrief

CVE-2025-68616 is a high-severity vulnerability in WeasyPrint, a Python library for generating PDF documents. The vulnerability allows attackers to bypass SSRF protection and access internal network resources. This occurs because the underlying urllib library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. WeasyPrint versions prior to 68.0 are affected. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The CVE was published on January 19, 2026, and last modified on June 30, 2026.

Vendor
Kozea
Product
WeasyPrint
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-19
Original CVE updated
2026-06-30
Advisory published
2026-01-19
Advisory updated
2026-06-30

Who should care

Developers using WeasyPrint to generate PDF documents should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 68.0 or later and implementing additional security measures to protect against SSRF attacks. Security teams should also be aware of this vulnerability and monitor for potential exploitation.

Technical summary

The vulnerability exists in WeasyPrint's default_url_fetcher and allows attackers to access internal network resources, such as localhost services or cloud metadata endpoints, even when a custom url_fetcher is implemented to block such access. The urllib library's automatic following of HTTP redirects without re-validation against the developer's security policy enables this bypass. The vulnerability is classified as CWE-601 and CWE-918.

Defensive priority

High priority should be given to updating WeasyPrint to version 68.0 or later. Additionally, developers should review their custom url_fetcher implementations to ensure they are properly validating URLs and preventing SSRF attacks.

Recommended defensive actions

  • Update WeasyPrint to version 68.0 or later
  • Review custom url_fetcher implementations to ensure proper URL validation
  • Implement additional security measures to protect against SSRF attacks
  • Monitor for potential exploitation of this vulnerability
  • Review and update security policies to address SSRF protection

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, its CVSS score, and affected versions. The source item URL provides additional information on the vulnerability and its mitigation. The patch for the issue is available in version 68.0 of WeasyPrint.

Official resources

This article is AI-assisted and based on the supplied source corpus.