CVE-2025-64725 – This vulnerability in Weblate allows one user t... (How to Fix)

Q: What is the severity of CVE-2025-64725?

CVE-2025-64725 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Weblate allows one user to accept an invitation that was opened by another user, potentially leading to unauthorized access or privilege escalation. All Weblate instances running versions before 5.15 are affected. The issue stems from improper invitation session handling.

📋 TL;DR

This vulnerability in Weblate allows one user to accept an invitation that was opened by another user, potentially leading to unauthorized access or privilege escalation. All Weblate instances running versions before 5.15 are affected. The issue stems from improper invitation session handling.

💻 Affected Systems

Products:

Weblate

Versions: All versions prior to 5.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All Weblate deployments with invitation functionality enabled are vulnerable.

📦 What is this software?

Weblate by Weblate

View all CVEs affecting Weblate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain unauthorized access to projects, modify translations, or escalate privileges by hijacking another user's invitation session.

🟠

Likely Case

Unauthorized users gaining access to projects they shouldn't have access to, potentially leading to data manipulation or exposure.

🟢

If Mitigated

With proper session management controls and monitoring, impact is limited to potential unauthorized project access without further escalation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Weblate instance and knowledge of invitation sessions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.15

Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj

Restart Required: Yes

Instructions:

1. Backup your Weblate instance. 2. Update to Weblate 5.15 or later using your package manager or pip. 3. Restart Weblate services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Session Management Workaround

all

Avoid leaving Weblate sessions with open invitations unattended

🧯 If You Can't Patch

Implement strict session timeout policies for Weblate users
Monitor for unusual invitation acceptance patterns in logs

🔍 How to Verify

Check if Vulnerable:

Check Weblate version via admin interface or by running 'weblate --version' command

Check Version:

weblate --version

Verify Fix Applied:

Verify version is 5.15 or higher and test invitation acceptance functionality

📡 Detection & Monitoring

Log Indicators:

Multiple invitation acceptances from different user sessions
Unusual invitation acceptance patterns

Network Indicators:

Multiple invitation-related requests from different IPs in short timeframe

SIEM Query:

source="weblate" AND (event="invitation_accepted" OR event="project_access_granted") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-64725

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-286

EPSS Score: 0.01% exploit probability (1.4th percentile)

Published: December 15, 2025

Last Updated: December 18, 2025

🔗 References

https://github.com/WeblateOrg/weblate/commit/02e904675f0608a6bbfbf9466eeccd9d022591e9 Patch
https://github.com/WeblateOrg/weblate/pull/16913 Issue Tracking
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15 Release Notes
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-m6hq-f4w9-qrjj Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64725, you might also want to check these: