Weblate, Arbitrary File Read via Symbolic Links, CVE-2025-53024 (High)

By /

Listen to this Post

This vulnerability, CVE-2025-53024, allows an authenticated attacker with commit privileges to read arbitrary files on the Weblate server’s filesystem. The flaw exists in the component that handles uploaded translation repositories. When Weblate processes a repository, it does not properly validate or restrict symbolic links present within the repository’s structure. An attacker can craft a malicious Git repository containing a symbolic link (symlink) pointing to a sensitive system file, such as `/etc/passwd` or configuration files containing secrets. Upon importing or updating this crafted repository in a Weblate project, the application follows the symlink when performing file operations. This allows the attacker to subsequently access the contents of the targeted file through the Weblate interface’s file browsing or translation features, effectively bypassing intended access controls and directory restrictions to read any file accessible by the Weblate server process.
Platform: Weblate
Version: < 5.18.3
Vulnerability: Symbolic Link Traversal
Severity: High
date: 2025-12-18

Prediction: Patch 2025-12-20

What Undercode Say:

$ ln -s /etc/passwd ./malicious-link.po
$ git add malicious-link.po && git commit -m "Added link"
$ git push origin main

Example path traversal via project file viewer
GET /browse/<project-name>/<component>/en/malicious-link.po/

How Exploit:

  1. Attacker creates a local Git repo with a symlink to a target file.
  2. The repo is pushed to a remote VCS provider (e.g., GitHub).
  3. Attacker configures a Weblate component to use this malicious repository.

4. Upon repository pull, Weblate ingests the symlink.

  1. Attacker navigates the Weblate file browser to the symlinked file, triggering read.

Protection from this CVE

Update to Weblate version 5.18.3 or later. Implement server-side symlink validation and sanitization for all repository file operations. Apply strict filesystem permissions to the Weblate process using jail or containerization.

Impact:

Arbitrary file disclosure, potential secret leakage, and system compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top