Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01N2pnLW05OTctY3gzcc4ABJD0

Moderate EPSS: 0.00036% (0.08873 Percentile) EPSS:
Permalink JSON

Weblate lacks rate limiting when verifying second factor

Affected Packages Affected Versions Fixed Versions
pypi:weblate < 5.12 5.12
0 Dependent packages
2 Dependent repositories
6,170 Downloads last month

Affected Version Ranges

All affected versions

2.10.1, 2.13.1, 2.14.1, 2.17.1, 2.19.1, 3.0.1, 3.1.1, 3.2.1, 3.2.2, 3.5.1, 3.6.1, 3.7.1, 3.9.1, 3.10.1, 3.10.2, 3.10.3, 3.11.1, 3.11.2, 3.11.3, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1, 4.2.1, 4.2.2, 4.3.1, 4.3.2, 4.4.1, 4.4.2, 4.5.1, 4.5.2, 4.5.3, 4.6.1, 4.6.2, 4.7.1, 4.7.2, 4.8.1, 4.9.1, 4.10.1, 4.11.1, 4.11.2, 4.12.1, 4.12.2, 4.13.1, 4.14.1, 4.14.2, 4.15.1, 4.15.2, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.18.1, 4.18.2, 5.0.1, 5.0.2, 5.1.1, 5.2.1, 5.3.1, 5.4.1, 5.4.2, 5.4.3, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.6.1, 5.6.2, 5.7.1, 5.7.2, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.9.1, 5.9.2, 5.10.1, 5.10.2, 5.10.3, 5.10.4, 5.11.1, 5.11.3, 5.11.4

All unaffected versions

5.12.1, 5.12.2

Impact

The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.

Patches

This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.

References

Thanks to obscuredeer for reporting this issue at HackerOne.

References:

Identifiers

GHSA-57jg-m997-cx3q

CVE-2025-47951

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00036

EPSS Percentile: 0.08873

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/WeblateOrg/weblate

Date and time

Published

about 1 month ago

Updated

about 1 month ago

API

JSON