CVE-2025-47951
MEDIUM4.9EPSS 0.20%Weblate lacks rate limiting when verifying second factor
Published: 6/16/2025Modified: 6/16/2025
Also known as:GHSA-57jg-m997-cx3q
Description
### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. ### Patches This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918. ### References Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).
Affected packages (1)
- PyPI/weblatefrom 0, < 5.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47951
- PATCHhttps://github.com/WeblateOrg/weblate
- WEBhttps://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384
- WEBhttps://github.com/WeblateOrg/weblate/pull/14918
- WEBhttps://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1
- WEBhttps://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q
- WEBhttps://hackerone.com/reports/3150564