CVE-2025-61587
BaseFortify
Publication date: 2025-10-01
Last updated on: 2025-10-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.13.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an open redirect in Weblate versions 5.13.2 and below. It occurs via the 'redir' parameter on .within.website when Weblate is configured with Anubis and the REDIRECT_DOMAINS setting is not configured. An attacker can craft a URL on the legitimate domain that redirects users to an attacker-controlled site, potentially leading to malicious activities such as drive-by downloads.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to redirect users from a legitimate Weblate domain to malicious sites. This can lead to drive-by downloads where users might unknowingly download malicious files, increasing the risk of malware infection and compromise of user systems.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Weblate to version 5.13.3 or later, where the open redirect issue is fixed. Additionally, ensure that the REDIRECT_DOMAINS setting is properly configured to restrict allowed redirect domains, preventing open redirects.