Weblate, Over-permissive Webhook Endpoint, Moderate

Listen to this Post

The vulnerability in Weblate stems from an insufficiently secured webhook endpoint that processes incoming HTTP requests without proper validation or authorization. Webhooks are typically used to trigger repository updates from version control systems like Git. However, this endpoint accepts crafted JSON payloads that can contain multiple repository identifiers or wildcard parameters. An attacker can send a single HTTP POST request to the webhook URL with a payload specifying numerous repositories. Weblate then interprets this payload and attempts to update all referenced repositories simultaneously. This mass update action can be triggered remotely without authentication if the webhook is exposed. The endpoint also may respond with error messages or data that reveal internal component structures, allowing enumeration. The lack of rate limiting and payload sanitization enables attackers to exploit this to cause denial-of-service by overwhelming system resources with git operations. Additionally, the webhook handler does not restrict requests based on IP or token in some configurations, making it accessible to network adversaries. This misconfiguration allows unauthorized repository management actions, potentially disrupting continuous integration pipelines and exposing project metadata.
Platform: Weblate
Version: All affected versions
Vulnerability: Over-permissive webhook endpoint
Severity: Moderate
date: 2025-12-15

Prediction: Expected patch 2025-12-15

What Undercode Say:

Analytics:

curl -X POST http://weblate.example.com/hooks/update/ -H "Content-Type: application/json" -d '{"repositories": [""]}'
nmap -p 80,443 --script http-weblate-webhook <target>
import requests
payload = {"operation": "update", "projects": ["project1", "project2"]}
response = requests.post("http://weblate.target/api/hooks/", json=payload)
print(response.text)

How Exploit:

Craft HTTP POST request to webhook endpoint with JSON array listing all repositories. Use tools like curl or scripting to automate mass update triggers. Analyze response errors to enumerate components and projects.

Protection from this CVE:

Disable webhooks via ENABLE_HOOKS setting. Apply security patches from Weblate. Implement IP whitelisting and authentication for webhooks. Validate and sanitize all webhook payloads.

Impact:

Mass repository updates causing service disruption. Resource exhaustion from simultaneous git operations. Unauthorized component enumeration leading to information disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top