Use of GET Request Method With Sensitive Query Strings Affecting weblate package, versions [0,5.11)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-WEBLATE-9833968
- published5 May 2025
- disclosed15 Apr 2025
- creditJoonas Häkkinen
Introduced: 15 Apr 2025
NewCVE-2025-32021 (opens in a new tab)How to fix?
Upgrade Weblate to version 5.11 or higher.
Overview
Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings when a new component is created based on an existing one with a source code repository URL, this URL, including any embedded credentials (like a GitHub Personal Access Token and username), is passed as plain text in the client's URL parameters. An attacker can gain access to private repositories containing sensitive source code by exploiting server logs or browser history, where these credentials are stored in plaintext.
PoC
Create a component that has the Repository push URL setting configured with
Create another component using the From existing component option and selecting the previous component as the source.
URL parameter
reposhould now include the secret PAT configured in the original component's settings. The URL with the token is potentially saved as plaintext in browser history and server logs.Select a translation file to import.
Observe again the same
repoparameter in the URL.