CVE-2024-28184

Advisory

Affected versions of WeasyPrint are vulnerable to an arbitrary file content attachment vulnerability. This issue enables attackers to attach content from arbitrary files and URLs to generated PDF documents, bypassing restrictions imposed by the configured `url_fetcher`. The attack vector exploits weaknesses in WeasyPrint’s file and URL handling during PDF generation. Mitigation involves upgrading to version 61.2 or later, which patches the vulnerability and reinforces content source validation for secure PDF creation. This vulnerability specifically impacts web developers using WeasyPrint for PDF document generation.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-35jj-wx47-4w8r
• https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28184