9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68398

CVE-2025-68398: Weblate has git config file overwrite vulnerability that leads to remote code execution

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68398

CVE-2025-68398:

9.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Weblate	pip	< 5.15.1	5.15.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal issue in Weblate that allows an attacker to overwrite the .git/config file, leading to remote code execution. The root cause of the vulnerability lies in the validate_filename function, which failed to properly sanitize user-provided file paths, thus allowing traversal to sensitive directories like .git. The patch 0e8e80c4ac40cd95bbb9c1c9ccb60940fd6344f8 rectifies this by adding a check for prohibited paths within validate_filename. A specific example of a vulnerable code path is the Backup.validate method, which processes filenames from backup archives. Before the patch, this method used the flawed validate_filename function, making it possible for a malicious backup file to overwrite the git configuration. Additionally, commit 2d69b4215942ccbd0ea6a34be8f47031e57b414c was introduced as a defense-in-depth measure, hardening the system by changing the environment variable for git's SSH command to one with higher precedence, thereby making exploitation more difficult even if the configuration file is compromised.

Vulnerable functions

validate_filename

weblate/utils/validators.py

This function was missing a check for prohibited paths, allowing path traversal. An attacker could provide a malicious path like '.git/config' to a feature that uses this validation function, overwrite the git configuration, and achieve remote code execution. The patch adds the missing check by calling 'is_excluded' and raising a 'ValidationError' if the path is prohibited.

Backup.validate

weblate/trans/backups.py

This method processes backup archives and validates filenames within them. Before the patch, it called the vulnerable 'validate_filename' function without any restrictions. An attacker could craft a malicious backup archive with a file path like '.git/config'. When this backup is restored, the malicious config file would be written, leading to RCE. The patch modifies the call to disable the new check, suggesting that backup restoration is now handled as a privileged operation where this check is not applied.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68398: Weblate has git config file overwrite vulnerability that leads to remote code execution

CVE-2025-68398:

9.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-68398: Weblate has git config file overwrite vulnerability that leads to remote code execution

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.1

9.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI