CVE-2025-66407

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.15

Description Weblate is a web-based localization tool. The Create Component functionality allows authorized users to add new translation components by specifying a version control system and a source code repository URL. Prior to version 5.15, the repository URL field lacks validation and sanitization, enabling attackers to supply arbitrary protocols, hostnames, and IP addresses, including localhost, internal network addresses, and local filenames. When using the Mercurial version control system, Weblate exposes the full server-side HTTP response for the provided URL, creating a server-side request forgery (SSRF) primitive. This allows probing internal services and accessing their contents. The behavior also enables local file enumeration through file:// requests, revealing information about the server’s filesystem layout based on error messages. In cloud environments, this can lead to credential disclosure and full environment compromise by accessing internal-only endpoints like cloud metadata services.

Recommendations Versions prior to 5.15: Upgrade to version 5.15 or later. Versions prior to 5.15: As a workaround, remove Mercurial from VCS BACKENDS.