4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-67715

CVE-2025-67715: Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Impact

It was possible to retrieve user notification settings or list all users via API.

Patches

https://github.com/WeblateOrg/weblate/pull/17256

References

Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to Weblate.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-67715

CVE-2025-67715:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Weblate	pip	< 5.15	5.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper access control within Weblate's REST API, leading to two primary issues: user enumeration and Insecure Direct Object References (IDOR). The analysis of the security patch (commit 0d64cc3980d6cd1f54c029530d015dbe8c960f22) reveals several vulnerable functions.

User Enumeration: The UserViewSet.list and SearchView.get methods allowed attackers to discover valid usernames. UserViewSet.list permitted authenticated but low-privileged users to fetch user lists with short or empty search queries. SearchView.get exposed usernames to unauthenticated users through the global search functionality. The patch restricts these capabilities by enforcing a minimum query length for non-privileged users and requiring authentication for user searches.
IDOR: The UserViewSet.notifications and UserViewSet.notifications_details methods were missing authorization checks for HTTP GET requests. This allowed any authenticated user to view or retrieve the details of any other user's notification settings and subscriptions simply by manipulating the username in the API endpoint URL. The patch resolves this by implementing a new permission check (perm_check with allow_self=True) that ensures a user can only access their own resources unless they have administrative privileges.

In summary, the root cause was a failure to consistently enforce object-level permissions across all relevant API endpoints, allowing unauthorized information disclosure.

Vulnerable functions

weblate.api.views.UserViewSet.list

weblate/api/views.py

The function allowed authenticated users without specific permissions to enumerate all users by sending a request with a short or empty search query to the `/api/users/` endpoint. The patch mitigates this by returning an empty result set if the search query is less than two characters for non-privileged users.

weblate.api.views.UserViewSet.notifications

weblate/api/views.py

The function was vulnerable to an Insecure Direct Object Reference (IDOR) because it lacked an authorization check for GET requests. This allowed any authenticated user to retrieve the notification settings of any other user by accessing the `/api/users/<username>/notifications/` endpoint.

weblate.api.views.UserViewSet.notifications_details

weblate/api/views.py

The function was vulnerable to an Insecure Direct Object Reference (IDOR) because it lacked an authorization check for GET requests. This allowed any authenticated user to retrieve the details of a specific notification subscription for any other user by accessing the `/api/users/<username>/notifications/<subscription_id>/` endpoint.

weblate.api.views.SearchView.get

weblate/api/views.py

The function allowed unauthenticated users to enumerate usernames. The global search endpoint at `/api/search/` included user search results in its response for anonymous users, which could be abused to confirm the existence of users in the system.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-67715: Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Impact

Patches

References

CVE-2025-67715:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-67715: Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)

Impact

Patches

References

Technical Details

Basic Information

Basic Information

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI