CVE-2024-28184

HIGH

WeasyPrint <61.2 - File/URL Injection

Title source: llm

Description

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

References (3)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/

[Vendor Advisory] https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r

[Patch] https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598

View Patch ZIP pw:eip

Scores

CVSS v3 7.4

EPSS 0.0012

EPSS Percentile 31.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-829

Status published

Products (3)

fedoraproject/fedora 40

kozea/weasyprint 61.0 - 61.2

pypi/weasyprint 61.0 - 61.2PyPI

Published Mar 09, 2024

Tracked Since Feb 18, 2026