CVE-2025-67819
📋 TL;DR
This vulnerability in Weaviate OSS allows attackers to read arbitrary files accessible to the service process when specific conditions are met. It affects Weaviate instances where the FileReplicationService is reachable and a shard is in the 'Pause file activity' state. Organizations running vulnerable versions of Weaviate OSS are at risk.
💻 Affected Systems
- Weaviate OSS
📦 What is this software?
Weaviate by Weaviate
Weaviate by Weaviate
Weaviate by Weaviate
Weaviate by Weaviate
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive files accessible to the Weaviate process, potentially including configuration files, credentials, or other sensitive data stored on the server.
Likely Case
Unauthorized reading of files within the Weaviate process's access permissions, potentially exposing configuration data or other sensitive information.
If Mitigated
Limited impact with proper network segmentation and access controls preventing unauthorized access to the FileReplicationService.
🎯 Exploit Status
Exploitation requires specific conditions: attacker must be able to call GetFile method while shard is in 'Pause file activity' state and FileReplicationService is reachable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.33.4
Vendor Advisory: https://weaviate.io/blog/weaviate-security-release-november-2025
Restart Required: Yes
Instructions:
1. Backup your Weaviate data and configuration. 2. Stop the Weaviate service. 3. Update to Weaviate version 1.33.4 or later. 4. Restart the Weaviate service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict FileReplicationService Access
linuxLimit network access to the FileReplicationService to only trusted sources.
# Use firewall rules to restrict access to FileReplicationService port
# Example: iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [PORT] -j DROP
Monitor Shard States
allImplement monitoring for shards entering 'Pause file activity' state and alert on suspicious activity.
# Monitor Weaviate logs for shard state changes
# grep -i 'pause.*file.*activity' /var/log/weaviate/*.log
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Weaviate instances from untrusted networks.
- Apply principle of least privilege to Weaviate service account and file system permissions.
🔍 How to Verify
Check if Vulnerable:
Check Weaviate version: if running version earlier than 1.33.4, the system is vulnerable.Check Version:
weaviate --versionVerify Fix Applied:
Verify the installed Weaviate version is 1.33.4 or later and check that the FileReplicationService has proper input validation.📡 Detection & Monitoring
Log Indicators:
- Unusual GetFile method calls
- Shard state changes to 'Pause file activity' followed by file access attempts
- File access errors or permission denials from unexpected sources
Network Indicators:
- Unusual traffic patterns to FileReplicationService port
- Connection attempts from unauthorized sources to Weaviate services
SIEM Query:
source="weaviate" AND ("GetFile" OR "Pause file activity")