MEDIUM 5.3 PyPI
Weblate's over‑permissive webhook endpoint enables mass repository updates and component enumeration
GHSA-pj86-258h-qrvf · CVE-2025-67492 · PYSEC-2025-232
Published · Modified
Description
Impact
It was possible to trigger repository updates for many repositories via a crafted webhook payload.
Patches
Workarounds
Disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.
References
Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to us.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-pj86-258h-qrvf
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-67492
- WEB https://github.com/WeblateOrg/weblate/pull/17221
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-232.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes