CVE-2025-47951
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-07-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Weblate versions prior to 5.12 involves the lack of rate limiting on the second factor verification endpoint. This means that an attacker who already has valid credentials can repeatedly attempt to guess the one-time password (OTP) without restriction, potentially allowing automated attacks to bypass the second factor authentication.
How can this vulnerability impact me? :
The vulnerability allows an attacker with valid credentials to automate OTP guessing, which can lead to unauthorized access despite the presence of two-factor authentication. This compromises the security of user accounts and can result in data exposure or unauthorized actions within the Weblate system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Weblate to version 5.12 or later, as this version includes a patch that adds rate limiting to the second factor verification endpoint, preventing automated OTP guessing attacks.