CVE-2025-47951

Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384	Patch
https://github.com/WeblateOrg/weblate/pull/14918	Issue Tracking
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1	Release Notes
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q	Vendor Advisory
https://hackerone.com/reports/3150564	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

History

16 Jul 2025, 14:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-16 21:15

Updated : 2025-07-16 14:32

NVD link : CVE-2025-47951

Mitre link : CVE-2025-47951

CVE.ORG link : CVE-2025-47951

JSON object : View

Products Affected

weblate

weblate

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2025-47951", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.8}]}, "published": "2025-06-16T21:15:24.010", "references": [{"url": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/pull/14918", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/3150564", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has been patched in version 5.12."}, {"lang": "es", "value": "Weblate es una herramienta de localizaci\u00f3n web. Antes de la versi\u00f3n 5.12, la verificaci\u00f3n del segundo factor no estaba sujeta a limitaci\u00f3n de velocidad. Esta ausencia de limitaci\u00f3n de velocidad en el endpoint del segundo factor permite a un atacante con credenciales v\u00e1lidas automatizar la adivinaci\u00f3n de OTP. Este problema se ha corregido en la versi\u00f3n 5.12."}], "lastModified": "2025-07-16T14:32:59.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9C3367BD-4AF1-4FFF-B652-AF187F10F9A8", "versionEndExcluding": "5.12"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}