Listen to this Post
How the CVE Works
Weblate, an open-source translation platform, lacks rate limiting during second-factor authentication (2FA) verification. Attackers with valid credentials can exploit this by automating brute-force attempts to guess one-time passwords (OTPs). Since the endpoint does not restrict repeated requests, an attacker can systematically submit numerous OTP combinations until the correct one is found, bypassing 2FA security.
DailyCVE Form
Platform: Weblate
Version: <5.12
Vulnerability: 2FA brute-force
Severity: Moderate
Date: Jun 16, 2025
Prediction: Patch expected by Jun 30, 2025
What Undercode Say
curl -X POST "https://weblate.example.com/2fa-verify/" -d "otp=123456" hydra -l user -p wordlist.txt weblate.example.com http-post-form "/2fa-verify/:otp=^PASS^:invalid"
How Exploit
1. Obtain valid credentials via phishing/database leak.
2. Automate OTP submissions using tools like Hydra.
3. Bypass 2FA after successful brute-force.
Protection from this CVE
- Upgrade to Weblate 5.12.
- Implement IP-based rate limiting.
- Monitor failed 2FA attempts.
Impact
- Unauthorized account access.
- Compromised sensitive translation data.
- Reduced trust in 2FA security.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
