Server-Side Request Forgery Risk in Weblate by WeblateOrg
CVE-2025-66407

5MEDIUM

Key Information:

Vendor

Weblateorg

Status
Weblate
Vendor
CVE Published:
15 December 2025

What is CVE-2025-66407?

Weblate, a web-based localization tool, has a vulnerability in its Create Component functionality. This flaw allows authenticated users to create translation components by specifying a repository URL without any validation or sanitization prior to version 5.15. Attackers can introduce arbitrary protocols, hostnames, and IP addresses, including local and internal addresses. This behavior can lead to Server-Side Request Forgery (SSRF), enabling the probing of internal services and unauthorized access to sensitive server information. Furthermore, the application can attempt local file enumeration through file requests, revealing insights into the server's filesystem structure. This is particularly dangerous in cloud environments where internal-only endpoints can be exploited, potentially leading to credential exposure. The issue has been resolved in the Weblate 5.15 release, and users are advised to remove Mercurial from VCS_BACKENDS as a temporary measure, as the Git backend remains unaffected.

Affected Version(s)

weblate < 5.15

References

https://github.com/WeblateOrg/weblate/security/advisories...
x_refsource_CONFIRM
https://github.com/WeblateOrg/weblate/pull/17102
x_refsource_MISC
https://github.com/WeblateOrg/weblate/pull/17103
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.