CVE-2025-68616: WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect

January 20, 2026

A Server-Side Request Forgery (SSRF) Protection Bypass exists in WeasyPrint’s default_url_fetcher. The vulnerability allows attackers to access internal network resources (such as localhost services or cloud metadata endpoints) even when a developer has implemented a custom url_fetcher to block such access. This occurs because the underlying urllib library follows HTTP redirects automatically without re-validating the new destination against the developer’s security policy.

References

github.com/Kozea/WeasyPrint
github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
github.com/advisories/GHSA-983w-rhvv-gwmv
nvd.nist.gov/vuln/detail/CVE-2025-68616

Code Behaviors & Features

Detect and mitigate CVE-2025-68616 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →