CVE-2025-67715
📋 TL;DR
CVE-2025-67715 is an information disclosure vulnerability in Weblate that allows unauthorized API access to user notification settings and user lists. This affects all Weblate instances running versions before 5.15. The vulnerability exposes potentially sensitive user information to attackers.
💻 Affected Systems
- Weblate
📦 What is this software?
Weblate by Weblate
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all users, potentially identifying administrators or privileged accounts for targeted attacks, and access user notification settings which might contain sensitive configuration data.
Likely Case
Unauthorized users can retrieve lists of all registered users and view individual user notification preferences, leading to privacy violations and potential reconnaissance for further attacks.
If Mitigated
With proper network segmentation and API access controls, impact is limited to authenticated users who shouldn't have access to this information.
🎯 Exploit Status
Exploitation requires API access but appears to be straightforward based on the advisory description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.15
Vendor Advisory: https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4
Restart Required: Yes
Instructions:
1. Backup your Weblate instance and database. 2. Update Weblate to version 5.15 or later using your package manager or deployment method. 3. Restart the Weblate service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit API access to trusted networks or IP addresses only
# Configure firewall rules to restrict access to Weblate API port
# Example: iptables -A INPUT -p tcp --dport 8000 -s trusted_ip_range -j ACCEPT
# iptables -A INPUT -p tcp --dport 8000 -j DROP
Disable Unnecessary API Endpoints
allUse reverse proxy or application firewall to block access to vulnerable endpoints
# Example nginx location block to restrict user-related API endpoints
location ~ ^/api/(users|notifications) {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict network access controls to limit API access to authorized users only
- Monitor API logs for unusual access patterns to user-related endpoints
🔍 How to Verify
Check if Vulnerable:
Check Weblate version via web interface or API. If version is below 5.15, the system is vulnerable.Check Version:
curl -s http://weblate-host/api/ | grep -o '"version":"[^"]*"'Verify Fix Applied:
After updating, verify version is 5.15 or higher and test that unauthorized users cannot access /api/users or /api/notifications endpoints.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to /api/users or /api/notifications endpoints
- Multiple failed authentication attempts followed by successful API calls to user endpoints
Network Indicators:
- Unusual API traffic patterns to user-related endpoints from unexpected sources
SIEM Query:
source="weblate" AND (uri_path="/api/users" OR uri_path="/api/notifications") AND http_status=200 AND NOT user IN (authorized_users_list)