CVE-2025-58352
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-09-18

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2025-09-18
Generated
2026-06-16
AI Q&A
2025-09-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-58352
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.13.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58352 is a vulnerability in Weblate versions prior to 5.13.1 where the session expiry time during the second factor authentication (2FA) was set too long. This allowed an attacker to reuse session credentials during the 2FA step to bypass rate limiting mechanisms designed to protect the second factor verification process. Essentially, the session for 2FA remained valid for an extended period, increasing the risk that an attacker could exploit this to gain unauthorized access. The issue is classified as insufficient session expiration (CWE-613) and was fixed by shortening the session expiry time specifically during the 2FA phase in version 5.13.1. [1, 3]

Impact Analysis

This vulnerability allows an attacker with low privileges to circumvent the rate limiting on the second factor authentication by exploiting the long session expiry during the 2FA step. This could increase the risk of unauthorized access to accounts by reusing session credentials or session IDs during the 2FA process. However, the overall impact is limited and rated as low severity (CVSS 2.1) because the attack complexity is high and the impact on confidentiality and integrity is low, with no impact on availability. [1]

Detection Guidance

This vulnerability relates to insufficient session expiration during the second factor authentication in Weblate versions prior to 5.13.1. Detection involves verifying if your Weblate installation is running a version lower than 5.13.1 and checking session expiry times during the 2FA process. Since the vulnerability is about long session expiry during 2FA, you can detect it by monitoring session durations or inspecting session cookie expiry values during 2FA steps. Specific commands are not provided in the resources, but you can check the Weblate version by running `weblate --version` or inspecting the installed package version. Additionally, reviewing session cookie expiry times in your web browser's developer tools during 2FA can help identify if the session expiry is unusually long. [1, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade Weblate to version 5.13.1 or later, where the vulnerability is fixed by introducing a shorter session expiry time during the 2FA process. This update enforces a dedicated session expiry setting (`SESSION_COOKIE_AGE_2FA`) that limits the session duration during second factor verification, reducing the risk of session reuse and bypassing rate limiting. Applying this patch ensures that sessions expire quickly during 2FA, mitigating the vulnerability. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58352. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart