Kozea WeasyPrint is a Python library used by web developers to generate PDF documents from HTML and CSS. Prior to version 68.0, WeasyPrint's default URL fetching mechanism, `default_url_fetcher`, contained a critical security flaw that allowed attackers to bypass server-side request forgery (SSRF) protections. The vulnerability stems from the use of Python's urllib library, which automatically follows HTTP redirects without reapplying the developer's custom URL filtering or blocking rules on the redirected URLs. This means that even if a developer implements a custom `url_fetcher` to block access to internal network resources (e.g., localhost services or cloud provider metadata endpoints), an attacker can craft a URL that redirects to these protected resources, effectively bypassing the security controls. This is classified under CWE-601 (Open Redirect) and CWE-918 (Server-Side Request Forgery). The impact is significant because it allows unauthorized internal network access, potentially exposing sensitive information or enabling further attacks within the internal network. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The issue was publicly disclosed in January 2026 and fixed in WeasyPrint version 68.0. No known exploits have been reported in the wild yet, but the high CVSS score (7.5) indicates a serious risk. Organizations using affected versions should upgrade immediately and audit their URL fetching implementations to ensure robust validation of redirected URLs.

For European organizations, this vulnerability poses a significant risk of unauthorized internal network access through WeasyPrint instances used in web applications or document generation services. Attackers could exploit this flaw to access sensitive internal endpoints such as localhost services or cloud metadata APIs, potentially leading to leakage of confidential information, credential exposure, or further lateral movement within the network. Organizations relying on WeasyPrint in cloud environments are particularly vulnerable to metadata endpoint exposure, which can lead to compromise of cloud credentials and resources. Given the ease of exploitation (no authentication or user interaction required) and the widespread use of WeasyPrint in web development, the threat could impact a broad range of sectors including finance, healthcare, government, and technology companies across Europe. The vulnerability could also undermine compliance with data protection regulations like GDPR if sensitive internal data is exposed. Although no active exploitation has been reported, the potential impact on confidentiality is high, warranting urgent remediation.

1. Upgrade all WeasyPrint deployments to version 68.0 or later, which contains the patch addressing this vulnerability. 2. Review and harden any custom `url_fetcher` implementations to ensure that URL validation is performed after any HTTP redirects, not just on the initial URL. 3. Implement network-level controls such as firewall rules or internal service segmentation to restrict access to sensitive internal endpoints (e.g., localhost services, cloud metadata endpoints) from application servers running WeasyPrint. 4. Monitor logs for unusual URL fetch requests or unexpected internal resource access attempts originating from WeasyPrint processes. 5. Conduct security testing and code reviews focusing on SSRF and open redirect protections in all components that perform URL fetching or HTTP requests. 6. Educate developers about the risks of automatic redirect following and the importance of validating all URLs after redirection. 7. If upgrading immediately is not feasible, consider disabling or restricting URL fetching features in WeasyPrint or isolating the service in a network environment with limited access to internal resources.