CVE-2024-28184 – CVE-2024-28184 is a vulnerability in WeasyPrint... (How to Fix)

Q: What is the severity of CVE-2024-28184?

CVE-2024-28184 has a CVSS score of 7.4 (HIGH). CVE-2024-28184 is a vulnerability in WeasyPrint that allows attackers to bypass URL fetching restrictions and attach arbitrary file or URL content to generated PDF documents. This affects web developers and applications using WeasyPrint version 61.0 through 61.1 to generate PDFs from untrusted sources.

📋 TL;DR

CVE-2024-28184 is a vulnerability in WeasyPrint that allows attackers to bypass URL fetching restrictions and attach arbitrary file or URL content to generated PDF documents. This affects web developers and applications using WeasyPrint version 61.0 through 61.1 to generate PDFs from untrusted sources.

💻 Affected Systems

Products:

WeasyPrint

Versions: 61.0 through 61.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where WeasyPrint processes untrusted HTML/CSS input for PDF generation. The vulnerability bypasses url_fetcher restrictions.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Weasyprint by Kozea

View all CVEs affecting Weasyprint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could exfiltrate sensitive files from the server (including configuration files, credentials, or private data) by embedding them in generated PDFs, leading to data breach and system compromise.

🟠

Likely Case

Information disclosure where attackers can read arbitrary files accessible to the WeasyPrint process, potentially exposing application source code, configuration files, or other sensitive data.

🟢

If Mitigated

Limited impact if WeasyPrint runs with minimal file system permissions and processes only trusted input, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the ability to control input to WeasyPrint, which is common in web applications that generate PDFs from user-provided content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 61.2

Vendor Advisory: https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r

Restart Required: No

Instructions:

1. Upgrade WeasyPrint to version 61.2 or later using pip: 'pip install --upgrade weasyprint==61.2' 2. Verify the installation with: 'python -c "import weasyprint; print(weasyprint.__version__)"' 3. Test PDF generation functionality.

🔧 Temporary Workarounds

Restrict file system access

linux

Run WeasyPrint in a sandboxed environment with minimal file system permissions

chroot /path/to/sandbox
docker run --read-only -v /tmp:/tmp:ro ...

Input validation

all

Sanitize HTML/CSS input to remove file:// and other local URL schemes before passing to WeasyPrint

🧯 If You Can't Patch

Implement strict input validation to reject any file:// URLs or local paths in HTML/CSS input
Run WeasyPrint with minimal privileges using containerization or chroot to limit file system access

🔍 How to Verify

Check if Vulnerable:

Check WeasyPrint version: 'python -c "import weasyprint; print(weasyprint.__version__)"' - if version is 61.0 or 61.1, system is vulnerable.

Check Version:

python -c "import weasyprint; print(weasyprint.__version__)"

Verify Fix Applied:

After upgrading, verify version is 61.2 or higher and test that file:// URLs in HTML input no longer result in file content being embedded in PDFs.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns by WeasyPrint process
Large PDF generation times for small inputs
Multiple failed file access attempts in system logs

Network Indicators:

PDF files containing unexpected binary data or file content
Unusual outbound traffic patterns after PDF generation

SIEM Query:

process.name:"python" AND process.args:"weasyprint" AND file.path:"/etc/*" OR file.path:"/home/*" OR file.path:"/root/*"

📊 Metadata

CVE ID: CVE-2024-28184

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-829

Published: March 9, 2024

Last Updated: December 2, 2025

🔗 References

https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598 Patch
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/ Mailing List,Third Party Advisory
https://github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598 Patch
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/ Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28184, you might also want to check these: