Source: weasyprint Version: 67.0-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team <[email protected]>
Dear Maintainer, WeasyPrint is affected by CVE-2025-68616 (GHSA-983w-rhvv-gwmv), a server-side request forgery (SSRF) protection bypass in all versions prior to 68.0. A url_fetcher supplied by an application to validate and block URLs can be bypassed: the underlying urllib follows HTTP redirects automatically without re-validating the redirect target against the application's policy (TOCTOU). An attacker can therefore reach internal resources such as localhost services or cloud metadata endpoints despite the filter. (CWE-918 / CWE-601, CVSS 7.5.) Fixed upstream in 68.0, which sets allow_redirects=False in the URLFetcher and deprecates default_url_fetcher in favour of a new URLFetcher class. Current upstream release is 69.0. All suites currently ship affected versions: bullseye 51-2, bookworm 57.2-1, trixie 62.3-1, testing/sid 67.0-1. Note: this CVE is currently marked NOT-FOR-US in the security tracker, which appears incorrect since weasyprint is packaged in Debian (src:weasyprint, main). I am also submitting a merge request against the security-tracker to correct this. References: https://nvd.nist.gov/vuln/detail/CVE-2025-68616 https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv -- System Information: Debian Release: kali-rolling Architecture: arm64 (aarch64) Kernel: Linux 6.12.34+rpt-rpi-2712 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
