How the CVE Works
This vulnerability in Weblate exposes GitHub credentials (Personal Access Tokens and usernames) in plaintext via URL parameters when creating a new component from an existing one. The credentials are embedded in the `repo` parameter of the request URL, which gets logged by servers (e.g., nginx) and stored in browser history. Attackers can extract these credentials from logs or browser data, gaining unauthorized access to private repositories. The issue arises due to improper handling of sensitive data in client-side requests.
DailyCVE Form
Platform: Weblate
Version: (Affected versions)
Vulnerability: Credential Leak via URL
Severity: Critical
Date: 2025-04-04
What Undercode Say:
Exploitation:
- Log Harvesting: Attackers scan server logs (e.g., nginx) for exposed GitHub tokens.
- Browser History Extraction: Malicious extensions or malware harvest credentials from saved URLs.
- MITM Attacks: Intercepting unencrypted traffic containing the URL.
Protection:
- Sanitize Logs: Configure web servers to redact sensitive URL parameters.
log_format sanitized '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';
- Disable URL Logging: Exclude sensitive endpoints from logging.
location /create/component/vcs/ { access_log off; } - Client-Side Fix: Weblate should use POST requests or session storage for credentials.
Detection:
Check nginx logs for exposed tokens: grep -r "repo=https.github.com" /var/log/nginx/
Mitigation Patch:
Example: Validate and sanitize repo URLs before processing
def sanitize_repo_url(url):
if "github.com" in url and ("@" in url or "token=" in url):
raise ValueError("Credentials detected in URL")
return url
Post-Exploit Actions:
- Rotate exposed GitHub tokens immediately:
gh api --user <USER> --token <OLD_TOKEN> -X DELETE /repos/<OWNER>/<REPO>/hooks/<ID>
- Audit repository access logs for suspicious activity.
References:
No additional commentary beyond the rules provided.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
