📄 Description (English)
WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer's security policy. Version 68.0 contains a patch for the issue.
🤖 AI Executive Summary
WeasyPrint versions prior to 68.0 contain an SSRF protection bypass vulnerability (CVE-2025-68616) that allows attackers to access internal network resources and cloud metadata endpoints through HTTP redirect chains, circumventing developer-implemented security controls. With a CVSS score of 7.5 and publicly available exploits, this poses significant risk to Saudi organizations using WeasyPrint for PDF generation in web applications. Immediate patching to version 68.0 or later is critical to prevent unauthorized access to sensitive internal services.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 2, 2026 15:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in financial services (banking sector under SAMA oversight), government agencies (NCA, CITC), healthcare institutions, and energy sector (ARAMCO, downstream companies) are at elevated risk if they use WeasyPrint for PDF generation in customer-facing or internal applications. The vulnerability could enable attackers to access internal APIs, cloud metadata services (AWS/Azure), SAMA banking networks, or government internal systems. E-commerce platforms and digital payment processors are particularly vulnerable as they commonly use PDF generation for invoices, reports, and documentation. The SSRF bypass could lead to lateral movement within Saudi critical infrastructure networks.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Insurance
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of WeasyPrint in your environment using software inventory tools and dependency scanners (pip list, requirements.txt, package.json for Node.js wrappers)
2. Prioritize applications that process untrusted URLs or user-supplied content for PDF generation
3. Implement network segmentation to restrict outbound connections from PDF generation services to internal networks
PATCHING:
1. Upgrade WeasyPrint to version 68.0 or later immediately: pip install --upgrade weasyprint>=68.0
2. Test patches in development/staging environments before production deployment
3. Verify patch installation: python -c "import weasyprint; print(weasyprint.__version__)"
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement strict URL validation using allowlist approach - only permit specific domains/protocols
2. Disable HTTP redirects in custom url_fetcher implementations by catching redirect responses
3. Use network firewall rules to block PDF generation services from accessing internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1)
4. Implement WAF rules to detect SSRF patterns in URL parameters
5. Run PDF generation services in isolated containers with minimal network access
DETECTION:
1. Monitor for HTTP 301/302/307/308 responses in PDF generation logs
2. Alert on requests to internal IP addresses or localhost from WeasyPrint processes
3. Log all URLs processed by WeasyPrint and analyze for redirect chains
4. Monitor cloud metadata endpoints (169.254.169.254) access attempts
5. Implement IDS/IPS signatures for SSRF redirect exploitation patterns
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات WeasyPrint في بيئتك باستخدام أدوات جرد البرامج وماسحات التبعيات (pip list, requirements.txt)
2. إعطاء الأولوية للتطبيقات التي تعالج عناوين URL غير الموثوقة أو المحتوى المزود من قبل المستخدم لإنشاء ملفات PDF
3. تنفيذ تقسيم الشبكة لتقييد الاتصالات الصادرة من خدمات إنشاء PDF إلى الشبكات الداخلية
التصحيح:
1. ترقية WeasyPrint إلى الإصدار 68.0 أو أحدث فوراً: pip install --upgrade weasyprint>=68.0
2. اختبار التصحيحات في بيئات التطوير/الاختبار قبل نشرها في الإنتاج
3. التحقق من تثبيت التصحيح: python -c "import weasyprint; print(weasyprint.__version__)"
عناصر التحكم التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. تنفيذ التحقق الصارم من عناوين URL باستخدام نهج القائمة البيضاء - السماح فقط بنطاقات/بروتوكولات محددة
2. تعطيل إعادة التوجيه HTTP في تطبيقات url_fetcher المخصصة بالتقاط استجابات إعادة التوجيه
3. استخدام قواعد جدار الحماية للشبكة لحظر خدمات إنشاء PDF من الوصول إلى نطاقات IP الداخلية
4. تنفيذ قواعد WAF للكشف عن أنماط SSRF في معاملات URL
5. تشغيل خدمات إنشاء PDF في حاويات معزولة مع الحد الأدنى من الوصول إلى الشبكة
الكشف:
1. مراقبة استجابات HTTP 301/302/307/308 في سجلات إنشاء PDF
2. التنبيه على الطلبات إلى عناوين IP الداخلية أو localhost من عمليات WeasyPrint
3. تسجيل جميع عناوين URL التي تمت معالجتها بواسطة WeasyPrint وتحليلها بحثاً عن سلاسل إعادة التوجيه
4. مراقبة محاولات الوصول إلى نقاط نهاية بيانات السحابة
5. تنفيذ توقيعات IDS/IPS للكشف عن أنماط استغلال إعادة التوجيه SSRF
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.8.1.1 - User endpoint devices
ECC 2024 A.8.2.3 - Segregation of networks
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Business objectives and strategies
SAMA CSF PR.AC-3 - Access control and user rights management
SAMA CSF PR.DS-1 - Data security and protection
SAMA CSF DE.CM-1 - Detection and analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.13.1 - Network security
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws
PCI DSS 6.5.10 - Broken authentication
PCI DSS 11.3 - Penetration testing
🔗 References & Sources 3
🔗
https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565
security-advisories@github.com
Patch
🔗
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
security-advisories@github.com
Exploit
Third Party Advisory
🔗
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
kozea:weasyprint