CVE-2025-58352
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58352 is a vulnerability in Weblate versions prior to 5.13.1 where the session expiry time during the second factor authentication (2FA) was set too long. This allowed an attacker to reuse session credentials during the 2FA step to bypass rate limiting mechanisms designed to protect the second factor verification process. Essentially, the session for 2FA remained valid for an extended period, increasing the risk that an attacker could exploit this to gain unauthorized access. The issue is classified as insufficient session expiration (CWE-613) and was fixed by shortening the session expiry time specifically during the 2FA phase in version 5.13.1. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges to circumvent the rate limiting on the second factor authentication by exploiting the long session expiry during the 2FA step. This could increase the risk of unauthorized access to accounts by reusing session credentials or session IDs during the 2FA process. However, the overall impact is limited and rated as low severity (CVSS 2.1) because the attack complexity is high and the impact on confidentiality and integrity is low, with no impact on availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to insufficient session expiration during the second factor authentication in Weblate versions prior to 5.13.1. Detection involves verifying if your Weblate installation is running a version lower than 5.13.1 and checking session expiry times during the 2FA process. Since the vulnerability is about long session expiry during 2FA, you can detect it by monitoring session durations or inspecting session cookie expiry values during 2FA steps. Specific commands are not provided in the resources, but you can check the Weblate version by running `weblate --version` or inspecting the installed package version. Additionally, reviewing session cookie expiry times in your web browser's developer tools during 2FA can help identify if the session expiry is unusually long. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Weblate to version 5.13.1 or later, where the vulnerability is fixed by introducing a shorter session expiry time during the 2FA process. This update enforces a dedicated session expiry setting (`SESSION_COOKIE_AGE_2FA`) that limits the session duration during second factor verification, reducing the risk of session reuse and bypassing rate limiting. Applying this patch ensures that sessions expire quickly during 2FA, mitigating the vulnerability. [1, 2, 3]