Dear Maintainer,

WeasyPrint is affected by CVE-2025-68616 (GHSA-983w-rhvv-gwmv), a
server-side request forgery (SSRF) protection bypass in all versions
prior to 68.0.

A url_fetcher supplied by an application to validate and block URLs can
be bypassed: the underlying urllib follows HTTP redirects automatically
without re-validating the redirect target against the application's
policy (TOCTOU). An attacker can therefore reach internal resources such
as localhost services or cloud metadata endpoints despite the filter.
(CWE-918 / CWE-601, CVSS 7.5.)

Fixed upstream in 68.0, which sets allow_redirects=False in the
URLFetcher and deprecates default_url_fetcher in favour of a new
URLFetcher class. Current upstream release is 69.0.

All suites currently ship affected versions:
  bullseye 51-2, bookworm 57.2-1, trixie 62.3-1, testing/sid 67.0-1.

Note: this CVE is currently marked NOT-FOR-US in the security tracker,
which appears incorrect since weasyprint is packaged in Debian
(src:weasyprint, main). I am also submitting a merge request against the
security-tracker to correct this.

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-68616
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv

Appreciate the quick re-triage. I see the tracker now associates CVE-2025-68616 with src:weasyprint across all releases, so the merge request I mentioned isn't needed. 

Thank you,
Fox

We believe that the bug you reported is fixed in the latest version of
weasyprint, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1139189@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stéphane Glondu <glondu@debian.org> (supplier of updated weasyprint package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 15 Jun 2026 11:12:50 +0200
Source: weasyprint
Architecture: source
Version: 69.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+python@tracker.debian.org>
Changed-By: Stéphane Glondu <glondu@debian.org>
Closes: 1138942 1139189
Changes:
 weasyprint (69.0-1) unstable; urgency=medium
 .
   [ Stéphane Glondu ]
   * New upstream release (Closes: #1139189)
   * Replace Scott by myself in Uploaders (Closes: #1138942)
 .
   [ Michael R. Crusoe ]
   * d/rules: simplifications
   * Enable running most of the tests at build time and as autopkgtests.
Checksums-Sha1:
 6df1422c54b1f734ce9d34718ac2099c1a136b91 2086 weasyprint_69.0-1.dsc
 97dc1981e7fe80c01b4ab5b4d6d49da9fb0eb54d 1549834 weasyprint_69.0.orig.tar.gz
 bee58de45a09200c89b3fce8ba18e371e28571fe 5036 weasyprint_69.0-1.debian.tar.xz
Checksums-Sha256:
 43378af0ddca8e49808c903b46bf8c5c8e16cd6670c59e875a29f70046d52c1b 2086 weasyprint_69.0-1.dsc
 a7a32f39ca16bd82ef11de99c92ea4b5f14951c9033af035e451ce4f4ee0a88c 1549834 weasyprint_69.0.orig.tar.gz
 dc3350a420b813e6fca2d4aca1bb637ca51b9d8bec0370328f9362f9e2b60cfd 5036 weasyprint_69.0-1.debian.tar.xz
Files:
 d41847d174060d4b69be3bfc6dcd6c2b 2086 text optional weasyprint_69.0-1.dsc
 267e1bd34e02655399bc72b45f697be3 1549834 text optional weasyprint_69.0.orig.tar.gz
 5fc5e6973e5bba0fe40c8f63866ce1ed 5036 text optional weasyprint_69.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQFGBAEBCgAwFiEEbeJOl+yohsxW5iUOIbju8bGJMIEFAmovxecSHGdsb25kdUBk
ZWJpYW4ub3JnAAoJECG47vGxiTCB23gH/1MitwUBJ1UgzRayW0f3Bj6L9OXgmAiK
bgVKY/IBkRNOJfDcO5b1meKsfKlTH8XvC3iehxkcD4WvUp0VMc8Mdq1fig2awIm7
rokbSfM42pQryprJr3ofZ/zoBYYt/VWw1sidNtXiQThjUnlpsKN3YKCfa3BUz1Mf
SWol9ykhsIzqayPz+6VafIeNLBBB0wRtAsQloUkOFzOABUDx2iosGPUuzSa06jtR
JjBLlub9D4EJ92saClhae0DJe3rvH38B8/73Q3m5CB6UPiM4R3QbJ/3AWK2GZsz8
jCGBaJVwnTDWqxm+4RA08Y+dgSZJ511PoYXGLRUbP3fsG6hVeL1c8i8=
=5S0k
-----END PGP SIGNATURE-----