CVE-2025-66407 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2025-66407?

CVE-2025-66407 has a CVSS score of 5.0 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Weblate's Create Component functionality. When using the Mercurial version control system, attackers can supply malicious repository URLs to probe internal services, access cloud metadata endpoints, and enumerate local files. Only authorized users can exploit this vulnerability, affecting Weblate instances with Mercurial enabled.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Weblate's Create Component functionality. When using the Mercurial version control system, attackers can supply malicious repository URLs to probe internal services, access cloud metadata endpoints, and enumerate local files. Only authorized users can exploit this vulnerability, affecting Weblate instances with Mercurial enabled.

💻 Affected Systems

Products:

Weblate

Versions: All versions prior to 5.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with Mercurial VCS backend enabled; Git backend is not vulnerable.

📦 What is this software?

Weblate by Weblate

View all CVEs affecting Weblate →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full environment compromise through cloud metadata credential theft, internal service enumeration leading to lateral movement, and sensitive file disclosure.

🟠

Likely Case

Internal network reconnaissance, cloud metadata access in cloud environments, and filesystem layout disclosure through error messages.

🟢

If Mitigated

Limited impact with proper network segmentation and cloud metadata service protections, though filesystem enumeration may still be possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authorized user access to Create Component functionality. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.15

Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm

Restart Required: Yes

Instructions:

1. Backup your Weblate instance. 2. Update to Weblate version 5.15 or later. 3. Restart the Weblate service. 4. Verify the fix by testing repository URL validation.

🔧 Temporary Workarounds

Disable Mercurial VCS Backend

all

Remove Mercurial from VCS_BACKENDS configuration to prevent exploitation

Edit Weblate settings.py and remove 'weblate.vcs.mercurial.HgRepository' from VCS_BACKENDS

🧯 If You Can't Patch

Implement strict network segmentation to isolate Weblate from internal services and cloud metadata endpoints
Apply web application firewall rules to block SSRF patterns and restrict outbound connections from Weblate

🔍 How to Verify

Check if Vulnerable:

Check if Weblate version is below 5.15 and Mercurial is enabled in VCS_BACKENDS

Check Version:

weblate --version

Verify Fix Applied:

Test Create Component functionality with malicious URLs; proper versions should reject invalid protocols and not expose response content

📡 Detection & Monitoring

Log Indicators:

Unusual repository URL patterns in component creation logs
Mercurial operations with file:// or internal IP addresses
Error messages revealing internal service responses

Network Indicators:

Outbound connections from Weblate to internal IP ranges
Requests to cloud metadata endpoints from Weblate server

SIEM Query:

source="weblate" AND (url="file://*" OR url="http://169.254.169.254*" OR url="http://10.*" OR url="http://192.168.*" OR url="http://172.16.*")

📊 Metadata

CVE ID: CVE-2025-66407

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-352

EPSS Score: 0.02% exploit probability (3.6th percentile)

Published: December 16, 2025

Last Updated: January 12, 2026

🔗 References

https://github.com/WeblateOrg/weblate/pull/17102 Issue Tracking,Patch
https://github.com/WeblateOrg/weblate/pull/17103 Issue Tracking,Patch
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-hfpv-mc5v-p9mm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66407, you might also want to check these: