Login Sign Up

CVE-2025-47951

4.9 MEDIUM
Authentication Bypass

📋 TL;DR

Weblate versions before 5.12 lack rate limiting on second-factor authentication endpoints, allowing attackers with valid credentials to automate OTP guessing. This affects all Weblate instances using two-factor authentication. The vulnerability enables potential account takeover despite having multi-factor authentication in place.

💻 Affected Systems

Products:
  • Weblate
Versions: All versions before 5.12
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with two-factor authentication enabled.

📦 What is this software?

Weblate by Weblate

View all CVEs affecting Weblate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of administrative users leading to data manipulation, code injection, or system compromise.

🟠

Likely Case

Account takeover of regular users allowing unauthorized access to translation projects and sensitive data.

🟢

If Mitigated

Failed login attempts logged, but no successful exploitation due to rate limiting.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires valid username/password credentials first. OTP brute-forcing is trivial to automate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.12 and later

Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q

Restart Required: Yes

Instructions:

1. Backup your Weblate instance. 2. Update to Weblate 5.12 or later using pip: 'pip install --upgrade weblate'. 3. Restart the Weblate service. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF) Rules

all

Configure rate limiting rules for authentication endpoints at the WAF or reverse proxy level.

Network-Level Rate Limiting

linux

Use iptables or similar to limit connection rates to Weblate authentication endpoints.

iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP

🧯 If You Can't Patch

  • Disable two-factor authentication temporarily until patching is possible
  • Implement strict network segmentation and limit access to Weblate only to trusted IP addresses

🔍 How to Verify

Check if Vulnerable:

Check Weblate version: if version is less than 5.12 and 2FA is enabled, the system is vulnerable.

Check Version:

weblate --version

Verify Fix Applied:

After updating, verify version is 5.12 or later and test that repeated OTP attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed second-factor authentication attempts from same IP/user
  • Unusual authentication patterns with correct password but varying OTP codes

Network Indicators:

  • High volume of POST requests to /accounts/confirm/ endpoint
  • Rapid authentication attempts from single source

SIEM Query:

source="weblate.log" AND "second factor" AND ("failed" OR "invalid") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-47951
CVSS v3 Score: 4.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-307
EPSS Score: 0.04% exploit probability (13.1th percentile)
Published: June 16, 2025
Last Updated: July 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-47951, you might also want to check these:

CVE-2023-1665 9.8

This vulnerability allows attackers to perform unlimited authentication attempts against Twake insta...

Same vulnerability type (CWE-307)
CVE-2020-28212 9.8

This vulnerability allows attackers to perform brute force attacks against the PLC Simulator in EcoS...

Same vulnerability type (CWE-307)
CVE-2024-9342 9.8

CVE-2024-9342 allows attackers to perform unlimited brute-force login attempts against Eclipse Glass...

Same vulnerability type (CWE-307)