PatchSiren cyber security CVE debrief
CVE-2025-68616 Kozea CVE debrief
CVE-2025-68616 is a high-severity vulnerability in WeasyPrint, a Python library for generating PDF documents. The vulnerability allows attackers to bypass SSRF protection and access internal network resources. This occurs because the underlying urllib library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. WeasyPrint versions prior to 68.0 are affected. The vulnerability has a CVSS score of 7.5 and is classified as HIGH. The CVE was published on January 19, 2026, and last modified on June 30, 2026.
- Vendor
- Kozea
- Product
- WeasyPrint
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-19
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-19
- Advisory updated
- 2026-06-30
Who should care
Developers using WeasyPrint to generate PDF documents should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 68.0 or later and implementing additional security measures to protect against SSRF attacks. Security teams should also be aware of this vulnerability and monitor for potential exploitation.
Technical summary
The vulnerability exists in WeasyPrint's default_url_fetcher and allows attackers to access internal network resources, such as localhost services or cloud metadata endpoints, even when a custom url_fetcher is implemented to block such access. The urllib library's automatic following of HTTP redirects without re-validation against the developer's security policy enables this bypass. The vulnerability is classified as CWE-601 and CWE-918.
Defensive priority
High priority should be given to updating WeasyPrint to version 68.0 or later. Additionally, developers should review their custom url_fetcher implementations to ensure they are properly validating URLs and preventing SSRF attacks.
Recommended defensive actions
- Update WeasyPrint to version 68.0 or later
- Review custom url_fetcher implementations to ensure proper URL validation
- Implement additional security measures to protect against SSRF attacks
- Monitor for potential exploitation of this vulnerability
- Review and update security policies to address SSRF protection
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, its CVSS score, and affected versions. The source item URL provides additional information on the vulnerability and its mitigation. The patch for the issue is available in version 68.0 of WeasyPrint.
Official resources
-
CVE-2025-68616 CVE record
CVE.org
-
CVE-2025-68616 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.