CVE-2025-64725
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | to 5.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-286 | The product does not properly manage a user within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-64725 is a vulnerability in Weblate versions prior to 5.15 where the validation of invitations was improperly implemented. Specifically, invitation validation was performed only during HTTP GET requests but was missing during HTTP POST requests when accepting invitations. This flaw allowed a user to accept an invitation that was opened by a different user, leading to unauthorized acceptance of invitations due to insufficient validation of invitation tokens or parameters. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to accept invitations that were intended for other users, potentially leading to incorrect user management and unauthorized access to parts of the Weblate system. However, the overall severity is low, with limited impact on confidentiality and no impact on integrity or availability. The risk can be mitigated by avoiding leaving Weblate sessions with invitations open unattended and by applying the patch in version 5.15. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Weblate to version 5.15 or later, which contains the patch fixing the improper invitation validation. As a workaround until the update can be applied, avoid leaving Weblate sessions with invitations opened unattended to prevent unauthorized acceptance of invitations. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper invitation validation in Weblate when accepting invitations. Detection would involve monitoring HTTP POST requests to the invitation acceptance endpoint to check if invitations are being accepted without proper validation. Specifically, you can look for POST requests to the invitation acceptance URL that do not correspond to the authenticated user. Since the vulnerability is related to invitation acceptance logic in the application layer, network-level detection might be limited. However, you can use web server access logs or application logs to identify suspicious POST requests related to invitations. For example, using grep on server logs to find POST requests to invitation endpoints: `grep 'POST /invitation/accept' /var/log/weblate/access.log` or similar. Additionally, monitoring user sessions for multiple users accepting invitations opened by others could indicate exploitation attempts. There are no specific commands provided in the resources, but these general approaches can help detect potential exploitation. [1, 3, 4]