Plattform
python
Komponente
weblate
Behoben in
5.15.2
5.15.1
CVE-2025-68279 describes an Arbitrary File Access vulnerability discovered in Weblate. This flaw allows attackers to read arbitrary files from the server's file system by exploiting crafted symbolic links within the repository. Versions of Weblate prior to 5.15.1 are affected. A fix has been released in version 5.15.1.
The primary impact of CVE-2025-68279 is the potential for unauthorized access to sensitive data stored on the server's file system. An attacker could leverage this vulnerability to read configuration files, source code, database credentials, or any other files accessible to the Weblate process. Successful exploitation could lead to data breaches, compromise of system integrity, and potential lateral movement within the network if exposed credentials are used. The symbolic link manipulation technique is a common attack vector, and while not as widespread as some other vulnerabilities, its potential for data exposure makes it a significant concern.
CVE-2025-68279 was responsibly disclosed by Jason Marcello. As of the publication date (2025-12-18), there is no indication of active exploitation or KEV listing. Public proof-of-concept code is not currently available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed. The EPSS score is likely to be medium, given the potential impact and lack of public exploitation.
Organizations using Weblate for translation management, particularly those hosting Weblate instances on shared hosting environments or with limited file system access controls, are at increased risk. Legacy Weblate configurations that haven't been regularly updated are also more vulnerable.
• python / server:
find /opt/weblate -type l -print # Check for symbolic links in Weblate directories• python / server:
journalctl -u weblate -f | grep "symbolic link" # Monitor Weblate logs for symbolic link related errors• generic web:
curl -I http://your-weblate-instance/path/to/symlink%20../sensitive_file.txt # Attempt to access a file via a crafted symbolic linkdisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-68279 is to immediately upgrade Weblate to version 5.15.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file system access for the Weblate process to only necessary directories. Review and harden symbolic link handling within the Weblate repository. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious requests attempting to access files outside of expected locations. After upgrading, confirm the fix by attempting to access a sensitive file via a symbolic link – the request should be denied.
Actualice Weblate a la versión 5.15.1 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos mediante enlaces simbólicos. La actualización se puede realizar a través del gestor de paquetes de Python (pip) o siguiendo las instrucciones de actualización proporcionadas por WeblateOrg.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-68279 is a vulnerability in Weblate versions ≤5.9.2 that allows attackers to read arbitrary files on the server via symbolic link manipulation, carrying a CVSS score of 7.7 (HIGH).
You are affected if you are running Weblate version 5.9.2 or earlier. Upgrade to version 5.15.1 or later to mitigate the risk.
Upgrade Weblate to version 5.15.1 or later. If immediate upgrade is not possible, restrict file system access and consider WAF rules.
As of the current disclosure date, there is no evidence of active exploitation, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Weblate security advisory for detailed information and updates: [https://weblate.org/security/](https://weblate.org/security/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.