Weblate, Information Disclosure, CVE-2025-32021 (Critical)

By /

How the CVE Works:

CVE-2025-32021 exposes sensitive credentials (e.g., GitHub PATs and usernames) in plaintext during the creation of a new component in Weblate (< v5.11). The source repository URL, including embedded credentials, is passed via client-side URL parameters, leaking them in browser history, server logs (e.g., nginx in Docker deployments), and potentially to third-party monitoring tools. Attackers exploiting this could harvest credentials from unsecured logs or compromised systems, leading to unauthorized repository access.

DailyCVE Form:

Platform: Weblate
Version: < 5.11
Vulnerability: Credential Disclosure
Severity: Critical
Date: 04/15/2025

What Undercode Say:

Exploitation:

  1. Log Harvesting: Query nginx logs for leaked URLs: 
    grep "component/new" /var/log/nginx/access.log | cut -d "?" -f 2
  2. Browser History Extraction: On compromised endpoints, extract history files (e.g., Chrome): 
    sqlite3 ~/.config/chrome/Default/History "SELECT url FROM urls WHERE url LIKE '%source=%'"

Mitigation:

1. Immediate Upgrade:

docker pull weblate/weblate:5.11

2. Log Sanitization: Add nginx filter to mask credentials:

location /component/new {
set $cleaned $args;
if ($args ~ (.)(source=[^&]+)(.)) {
set $cleaned $1source=REDACTED$3;
}
access_log /var/log/nginx/weblate_clean.log $cleaned;
}

3. Credential Rotation: Revoke exposed PATs via GitHub API:

curl -X DELETE -H "Authorization: token <VALID_TOKEN>" \
"https://api.github.com/authorizations/<AUTH_ID>"

Detection:

  • YARA Rule for log scanning: 
    rule weblate_creds {
strings:
$source_param = "source=http" nocase
$token_pattern = /(ghp_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})/
condition:
$source_param and $token_pattern
}
  • Auditd Rule for real-time monitoring: 
    auditctl -w /var/log/nginx/ -p wa -k weblate_cred_leak

Patch Analysis:

Weblate 5.11 encrypts URLs server-side before transmission. Verify patch integrity:

shasum -a 256 /usr/local/lib/python3.9/site-packages/weblate/trans/views/component.py | grep <OFFICIAL_HASH>

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top