Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) protection bypass in WeasyPrint's `default_url_fetcher`. It occurs because the underlying Python `urllib` library automatically follows HTTP redirects without re-validating the redirected URL against any custom security policies set by developers. Attackers can exploit this by providing a URL that passes initial validation but redirects to internal network resources like localhost services or cloud metadata endpoints, which are normally blocked. This allows attackers to bypass URL allowlists or blocklists and access sensitive internal resources. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to access internal network resources that should be protected, such as localhost services or cloud metadata endpoints. This can lead to internal network reconnaissance, exposure of sensitive internal services (e.g., Redis, ElasticSearch, admin panels), and exfiltration of cloud metadata service data, which may enable credential theft and privilege escalation. Additionally, security controls relying on URL fetcher validation can be bypassed, rendering them ineffective. [1]

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability, monitor HTTP requests made by WeasyPrint or related services for unexpected redirects to internal network addresses such as localhost (127.0.0.1) or cloud metadata endpoints (e.g., 169.254.169.254). You can use network traffic analysis tools like tcpdump or Wireshark to capture and inspect outgoing HTTP requests and responses, looking specifically for HTTP redirect status codes (301, 302, 307) followed by internal IP addresses. For example, use the command: `tcpdump -i any -nn -s 0 -A 'tcp port 80 or tcp port 443'` to capture HTTP traffic and manually inspect for suspicious redirects. Additionally, review application logs for URL fetch attempts and redirects that bypass custom URL fetcher policies. Since the vulnerability involves automatic redirect following without re-validation, testing with crafted URLs that redirect to internal resources can help confirm if the system is vulnerable. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading WeasyPrint to version 68.0 or later, where the vulnerability is patched by disabling automatic HTTP redirects in the `default_url_fetcher`. If upgrading is not immediately possible, avoid using the vulnerable `default_url_fetcher` function or replace it with the new `URLFetcher` class that allows controlled redirect handling via the `allow_redirects` parameter. Additionally, review and strengthen URL fetching policies to ensure redirects are validated against security policies before being followed. Blocking or filtering HTTP redirects at the network level may also help reduce risk temporarily. Ultimately, applying the official patch and migrating to the updated URL fetching mechanism is the recommended solution. [2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to bypass SSRF protections and access internal network resources, including sensitive internal services and cloud metadata endpoints. Such unauthorized access can lead to exposure of sensitive data and credentials, which may result in violations of data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information. Therefore, the vulnerability poses a risk to compliance with these standards by potentially enabling data breaches and unauthorized data access. [1]

Useful 0 Not Useful 0