weblate
Behoben in
5.15.1
5.15
CVE-2025-66407 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Weblate, a web-based localization tool. This flaw allows authenticated users to potentially access internal resources by manipulating the repository URL during component creation. The vulnerability impacts Weblate versions 5.14 and earlier, and a fix is available in version 5.15.
The SSRF vulnerability in Weblate allows an authenticated user to craft a malicious repository URL within the 'Create Component' functionality. Because the URL is not properly validated, an attacker can specify arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When using the Mercurial version control system, Weblate will expose the full server-side HTTP response for the provided URL. This could lead to the exposure of sensitive internal data, access to internal services, or even potential remote code execution if the internal service is vulnerable. The blast radius is limited to the internal network accessible from the Weblate server.
CVE-2025-66407 was publicly disclosed on December 15, 2025. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept code is not currently available, but the SSRF nature of the vulnerability makes it likely that one will emerge. The vulnerability's reliance on authenticated access limits its immediate widespread impact.
Organizations utilizing Weblate for localization workflows, particularly those with internal network resources that are not adequately protected, are at risk. Environments with legacy Weblate installations or those lacking robust input validation practices are especially vulnerable.
• python / server:
# Check Weblate version
python3 -c 'import weblate; print(weblate.__version__)'• generic web:
curl -I http://your-weblate-instance/create/component | grep -i 'repository-url:'• generic web:
# Check access logs for requests with suspicious URLs (e.g., file://, internal IPs)
grep -i 'file:\/\/|192\.168\.1\.0\/24' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66407 is to upgrade Weblate to version 5.15 or later, which includes the necessary validation and sanitization of repository URLs. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests with suspicious URLs containing protocols like file:// or internal IP addresses. Additionally, restrict network access to the Weblate server to only necessary services and hosts. Carefully review and restrict user permissions within Weblate to limit the impact of a potential compromise.
Aktualisieren Sie Weblate auf Version 5.15 oder höher. Alternativ entfernen Sie Mercurial aus der Konfiguration `VCS_BACKENDS`. Das Git-Backend ist nicht betroffen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66407 is a Server-Side Request Forgery vulnerability in Weblate versions 5.14 and earlier, allowing attackers to access internal resources through manipulated repository URLs.
You are affected if you are running Weblate version 5.14 or earlier. Upgrade to version 5.15 or later to mitigate the vulnerability.
Upgrade Weblate to version 5.15 or later. As a temporary workaround, implement a WAF rule to block suspicious URLs.
There is currently no evidence of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the official Weblate security advisory for detailed information and updates: [https://weblate.org/security/](https://weblate.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.