CVE-2025-64725
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64725
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
weblate weblate to 5.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-286 The product does not properly manage a user within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-64725 is a vulnerability in Weblate versions prior to 5.15 where the validation of invitations was improperly implemented. Specifically, invitation validation was performed only during HTTP GET requests but was missing during HTTP POST requests when accepting invitations. This flaw allowed a user to accept an invitation that was opened by a different user, leading to unauthorized acceptance of invitations due to insufficient validation of invitation tokens or parameters. [1, 3, 4]

Impact Analysis

This vulnerability can allow unauthorized users to accept invitations that were intended for other users, potentially leading to incorrect user management and unauthorized access to parts of the Weblate system. However, the overall severity is low, with limited impact on confidentiality and no impact on integrity or availability. The risk can be mitigated by avoiding leaving Weblate sessions with invitations open unattended and by applying the patch in version 5.15. [2, 3]

Mitigation Strategies

To mitigate this vulnerability, immediately update Weblate to version 5.15 or later, which contains the patch fixing the improper invitation validation. As a workaround until the update can be applied, avoid leaving Weblate sessions with invitations opened unattended to prevent unauthorized acceptance of invitations. [2, 3]

Detection Guidance

This vulnerability involves improper invitation validation in Weblate when accepting invitations. Detection would involve monitoring HTTP POST requests to the invitation acceptance endpoint to check if invitations are being accepted without proper validation. Specifically, you can look for POST requests to the invitation acceptance URL that do not correspond to the authenticated user. Since the vulnerability is related to invitation acceptance logic in the application layer, network-level detection might be limited. However, you can use web server access logs or application logs to identify suspicious POST requests related to invitations. For example, using grep on server logs to find POST requests to invitation endpoints: `grep 'POST /invitation/accept' /var/log/weblate/access.log` or similar. Additionally, monitoring user sessions for multiple users accepting invitations opened by others could indicate exploitation attempts. There are no specific commands provided in the resources, but these general approaches can help detect potential exploitation. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart