CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-28184: WeasyPrint allows the attachment of arbitrary files and URLs to a PDF

7.4 CVSS

Description

WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.

Classification

CVE ID: CVE-2024-28184

CVSS Base Severity: HIGH

CVSS Base Score: 7.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Affected Products

Vendor: Kozea

Product: WeasyPrint

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r
https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/

Timeline

2025-02-14 00:31:49 UTC
CVE

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF