CVE-2025-32021Use of GET Request Method With Sensitive Query Strings in Weblate

CWE-598Use of GET Request Method With Sensitive Query StringsCWE-547Use of Hard-coded, Security-relevant Constants5 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 45.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Weblateorg WeblateWeblateMsrc Azl3 GIT 2.42.0-2 ON Azure Linux 3.0+7 more
Timeline
PublishedApr 15

Description

Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are writte

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

NVDweblate/weblate< 5.11
PyPIweblate/weblate< 5.11
CVEListV5weblateorg/weblate< 5.11

🔴Vulnerability Details

3
OSV
CVE-2025-32021: Weblate is a web based localization tool2025-04-15
GHSA
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext2025-04-15
OSV
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext2025-04-15

📋Vendor Advisories

1
Microsoft
Local Git clone may hardlink arbitrary user-readable files into the new repository's "objects/" directory2024-05-14