CVE-2025-66407
Server-Side Request Forgery in Weblate Mercurial Component
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weblate | weblate | 5.15 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-66407 is a Server-Side Request Forgery (SSRF) vulnerability in Weblate versions prior to 5.15. It affects the Create Component functionality, which allows authorized users to add new translation components by specifying a version control system (VCS) and a repository URL. The repository URL field is not validated or sanitized, allowing attackers to supply arbitrary protocols, hostnames, IP addresses (including localhost and internal network addresses), and local filenames. When the Mercurial VCS backend is selected, Weblate exposes the full server-side HTTP response for the provided URL, enabling attackers to probe internal services and retrieve their contents. Additionally, local file enumeration is possible via file:// requests, revealing information about the server's filesystem layout through error messages. This is especially dangerous in cloud environments, where internal-only endpoints like cloud metadata services may be accessed, potentially leading to credential disclosure and full environment compromise. The vulnerability was fixed in Weblate 5.15. [3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform SSRF attacks to access internal HTTP endpoints and services that are normally inaccessible from outside the server. It can also enable local file enumeration, revealing sensitive information about the server's filesystem. In cloud environments, attackers may access internal-only endpoints such as cloud metadata services, which can lead to credential disclosure and potentially full compromise of the environment. This can result in unauthorized access to sensitive data and resources, posing a significant security risk. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Weblate instance is running a version prior to 5.15 and if the Mercurial VCS backend is enabled in the VCS_BACKENDS configuration. Since the vulnerability involves server-side request forgery via the repository URL field, you can attempt to create a component with a repository URL using arbitrary protocols such as file:// or internal IP addresses to see if the server responds with detailed HTTP responses or error messages revealing internal files or services. Specific commands are not provided in the resources, but testing the Create Component functionality with crafted URLs targeting internal services or local files can help detect the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Weblate to version 5.15 or later, where the vulnerability is fixed. If upgrading is not immediately possible, remove the Mercurial VCS backend from the VCS_BACKENDS configuration as a workaround, since the Git backend is not affected. Additionally, applying patches that sanitize Mercurial error messages to prevent exposure of sensitive HTTP response details can help mitigate information disclosure risks. [2, 3]