GHSA-57jg-m997-cx3q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-57jg-m997-cx3q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-57jg-m997-cx3q/GHSA-57jg-m997-cx3q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-57jg-m997-cx3q
- Aliases
- Published
- 2025-06-16T14:52:53Z
- Modified
- 2025-06-16T22:20:36.919750Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Weblate lacks rate limiting when verifying second factor
- Details
-
Impact
The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.
Patches
This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.
References
Thanks to obscuredeer for reporting this issue at HackerOne.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-06-16T14:52:53Z", "nvd_published_at": "2025-06-16T21:15:24Z", "cwe_ids": [ "CWE-307" ], "severity": "MODERATE" }- References
-
- https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q
- https://nvd.nist.gov/vuln/detail/CVE-2025-47951
- https://github.com/WeblateOrg/weblate/pull/14918
- https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384
- https://hackerone.com/reports/3150564
- https://github.com/WeblateOrg/weblate
- https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1
Affected packages
PyPI / weblate
Package
- Name
- weblate
- View open source insights on deps.dev
- Purl
- pkg:pypi/weblate
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.12
Affected versions
1.*
1.9
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.10.1
2.11
2.12
2.13
2.13.1
2.14
2.14.1
2.15
2.16
2.17
2.17.1
2.18
2.19
2.19.1
2.20
3.*
3.0
3.0.1
3.1
3.1.1
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.5.1
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.9.1
3.10
3.10.1
3.10.2
3.10.3
3.11
3.11.1
3.11.2
3.11.3
4.*
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1
4.1.1
4.2
4.2.1
4.2.2
4.3
4.3.1
4.3.2
4.4
4.4.1
4.4.2
4.5
4.5.1
4.5.2
4.5.3
4.6
4.6.1
4.6.2
4.7
4.7.1
4.7.2
4.8
4.8.1
4.9
4.9.1
4.10
4.10.1
4.11
4.11.1
4.11.2
4.12
4.12.1
4.12.2
4.13
4.13.1
4.14
4.14.1
4.14.2
4.15
4.15.1
4.15.2
4.16
4.16.1
4.16.2
4.16.3
4.16.4
4.17
4.18
4.18.1
4.18.2
5.*
5.0
5.0.1
5.0.2
5.1
5.1.1
5.2
5.2.1
5.3
5.3.1
5.4
5.4.1
5.4.2
5.4.3
5.5
5.5.2
5.5.3
5.5.4
5.5.5
5.6
5.6.1
5.6.2
5.7
5.7.1
5.7.2
5.8.1
5.8.2
5.8.3
5.8.4
5.9.dev0
5.9.1
5.9.2
5.10
5.10.1
5.10.2
5.10.3
5.10.4
5.11
5.11.1
5.11.3
5.11.4