CVE-2025-68616 is an open redirect vulnerability classified under CWE-601 and CWE-918 affecting Kozea WeasyPrint versions before 68.0. WeasyPrint is a Python library used by web developers to convert HTML and CSS documents into PDF files. The vulnerability specifically targets the `default_url_fetcher` function responsible for fetching external resources during PDF generation. Developers often implement custom URL fetchers to restrict access to internal resources and prevent SSRF attacks. However, the underlying Python urllib library automatically follows HTTP redirects without re-checking the redirected URL against these custom security policies. This behavior allows an attacker to craft a URL that initially points to a permitted domain but redirects to an internal or otherwise restricted resource, such as localhost services or cloud metadata endpoints (e.g., AWS or Azure metadata services). Exploiting this flaw can lead to unauthorized access to sensitive internal network resources, potentially exposing confidential data or enabling further attacks. The vulnerability does not require any authentication or user interaction, increasing its risk. The issue was addressed in WeasyPrint version 68.0 by modifying the URL fetcher to properly validate redirected URLs against security policies before following them. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no privileges required, no user interaction, and high confidentiality impact.

For European organizations, this vulnerability poses a significant risk of internal network exposure and data leakage. Organizations using WeasyPrint in web applications that generate PDFs from user-supplied or external HTML content may inadvertently allow attackers to access internal services or cloud metadata endpoints. This could lead to disclosure of sensitive information such as internal APIs, configuration data, or cloud credentials. The impact is particularly critical for organizations relying on cloud infrastructure where metadata endpoints provide access to instance credentials. Exploitation could facilitate lateral movement within networks or unauthorized access to protected resources. The vulnerability affects confidentiality but does not directly impact integrity or availability. Given the ease of exploitation without authentication or user interaction, attackers can remotely exploit this flaw to gain sensitive information. This risk is heightened in sectors with strict data protection regulations like GDPR, where data breaches can lead to severe legal and financial consequences.

The primary mitigation is to upgrade WeasyPrint to version 68.0 or later, where the vulnerability is patched. Organizations should audit their use of WeasyPrint and identify any instances running vulnerable versions. For environments where immediate upgrade is not feasible, developers should implement strict validation of all URLs, including those resulting from redirects, within custom URL fetchers. This validation should explicitly block access to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16) and cloud metadata service IPs. Additionally, network-level controls such as firewall rules can restrict outbound HTTP requests from application servers to internal networks or metadata endpoints. Monitoring and logging URL fetcher activity can help detect suspicious redirect patterns. Finally, organizations should review their PDF generation workflows to ensure that untrusted user input is sanitized and that external resource fetching is minimized or sandboxed where possible.