CVE-2024-28184: WeasyPrint allows the attachment of arbitrary files and URLs to a PDF

March 8, 2024 (updated March 11, 2024)

Impact

Since version 61.0, there’s a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if url_fetcher is configured to prevent access to files and URLs.

Patches

Fixed by 734ee8e that’s included in 61.2

Workarounds

Check that no PDF attachment is defined in source HTML.
Launch WeasyPrint in a sandbox that prevents access to the filesystem and the network.

References

github.com/Kozea/WeasyPrint
github.com/Kozea/WeasyPrint/commit/734ee8e2dc84ff3090682f3abff056d0907c8598
github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r
github.com/advisories/GHSA-35jj-wx47-4w8r
nvd.nist.gov/vuln/detail/CVE-2024-28184

Detect and mitigate CVE-2024-28184 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →