CVE-2025-58352

Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908	Patch
https://github.com/WeblateOrg/weblate/pull/16002	Issue Tracking
https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*

History

18 Sep 2025, 16:25

Type	Values Removed	Values Added
References	~~() https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908 -~~	() https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908 - Patch
References	~~() https://github.com/WeblateOrg/weblate/pull/16002 -~~	() https://github.com/WeblateOrg/weblate/pull/16002 - Issue Tracking
References	~~() https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728 -~~	() https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728 - Vendor Advisory
First Time		Weblate weblate Weblate
CPE		cpe:2.3:a:weblate:weblate::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

05 Sep 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-05 00:15

Updated : 2025-09-18 16:25

NVD link : CVE-2025-58352

Mitre link : CVE-2025-58352

CVE.ORG link : CVE-2025-58352

JSON object : View

Products Affected

weblate

weblate

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-58352", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-05T00:15:32.280", "references": [{"url": "https://github.com/WeblateOrg/weblate/commit/0b46fe596231dd456283ead66699ae5516f23908", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/pull/16002", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-377j-wj38-4728", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in version 5.13.1."}], "lastModified": "2025-09-18T16:25:36.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBCCB5A1-F592-4D8C-BE38-A704460A7343", "versionEndExcluding": "5.13.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}