Advisories for Pypi/Weasyprint package

2024

WeasyPrint allows the attachment of arbitrary files and URLs to a PDF

Impact Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs. Patches Fixed by 734ee8e that’s included in 61.2 Workarounds Check that no PDF attachment is defined in source HTML. Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.