-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Weblate | pip | < 5.13.1 | 5.13.1 |
Miggo AIRoot Cause AnalysisThe vulnerability, GHSA-377j-wj38-4728, is an insufficient session expiration weakness in Weblate's two-factor authentication (2FA) process. When a user with 2FA enabled logged in, the application would create a session with a long expiration time immediately after password validation, but before the second factor was provided. This gave an attacker who had compromised a user's password a prolonged window (up to 14 days) to attempt to brute-force or otherwise bypass the second-factor challenge, defeating the purpose of rate-limiting on that step.
The root cause was that the central function for managing session duration, weblate.accounts.utils.adjust_session_expiry, was not aware of the user's 2FA verification state. It only knew whether the initial authentication (password or social login) was successful.
The patch addresses this by:
SESSION_COOKIE_AGE_2FA set to 180 seconds) specifically for the 2FA verification phase.adjust_session_expiry to accept a user object and check if the user is fully verified (user.is_verified()). If the user has 2FA but is not yet verified, it applies the new short timeout.adjust_session_expiry—including the standard login form (AuthenticationForm.clean), social auth pipeline (notify_connect), and the session-extending middleware (AuthenticationMiddleware)—to pass the required user object.This ensures that the session remains valid for only a few minutes until the 2FA challenge is successfully completed, effectively mitigating the risk of brute-force attacks against the second factor.
PythonPythonOngoing coverage of React2Shell