Use of GET Request Method With Sensitive Query Strings Affecting weblate package, versions [0,5.11)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-WEBLATE-9833968
  • published5 May 2025
  • disclosed15 Apr 2025
  • creditJoonas Häkkinen

Introduced: 15 Apr 2025

NewCVE-2025-32021  (opens in a new tab)
CWE-598  (opens in a new tab)

How to fix?

Upgrade Weblate to version 5.11 or higher.

Overview

Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings when a new component is created based on an existing one with a source code repository URL, this URL, including any embedded credentials (like a GitHub Personal Access Token and username), is passed as plain text in the client's URL parameters. An attacker can gain access to private repositories containing sensitive source code by exploiting server logs or browser history, where these credentials are stored in plaintext.

PoC

  1. Create a component that has the Repository push URL setting configured with

  2. Create another component using the From existing component option and selecting the previous component as the source.

  3. URL parameter repo should now include the secret PAT configured in the original component's settings. The URL with the token is potentially saved as plaintext in browser history and server logs.

  4. Select a translation file to import.

  5. Observe again the same repo parameter in the URL.

CVSS Base Scores

version 4.0
version 3.1