Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68398

CVE-2025-68398: Weblate RCE Vulnerability

CVE-2025-68398 is a remote code execution vulnerability in Weblate that allows attackers to overwrite Git configuration remotely. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-68398 Overview

CVE-2025-68398 is a critical input validation vulnerability affecting Weblate, a popular web-based localization tool used for software translation management. In versions prior to 5.15.1, attackers could remotely overwrite Git configuration and override its behavior, potentially leading to unauthorized modifications and system compromise.

This vulnerability stems from improper validation of file paths and insecure handling of Git SSH command configuration. The flaw allows remote attackers to manipulate Git behavior through crafted requests without requiring authentication, posing significant risk to organizations using Weblate for their translation workflows.

Critical Impact

Remote attackers can overwrite Git configuration and override system behavior, potentially leading to unauthorized repository modifications, data integrity compromise, and service disruption without authentication.

Affected Products

  • Weblate versions prior to 5.15.1
  • All Weblate installations using Git-based version control integration
  • Self-hosted and cloud deployments with default configurations

Discovery Timeline

  • December 18, 2025 - CVE-2025-68398 published to NVD
  • February 6, 2026 - Last updated in NVD database

Technical Details for CVE-2025-68398

Vulnerability Analysis

The vulnerability exists in Weblate's handling of file path validation and Git SSH command configuration. The core issue involves two primary weaknesses: insufficient path validation during backup restoration operations and an insecure method of specifying the Git SSH wrapper.

The improper input validation (CWE-20) allows attackers to bypass intended security controls. During backup restoration, the application failed to properly validate filenames, potentially allowing prohibited paths to be processed. Additionally, the use of GIT_SSH environment variable instead of GIT_SSH_COMMAND allowed for potential configuration override attacks.

The network-accessible attack vector means remote unauthenticated attackers can exploit this vulnerability to modify Git repository behavior, potentially injecting malicious configurations or redirecting Git operations to attacker-controlled servers.

Root Cause

The root cause stems from two interconnected issues in Weblate's codebase:

  1. Insufficient Path Validation: The validate_filename() function was called without the check_prohibited=False parameter during backup restoration, allowing potentially dangerous file paths to slip through validation.

  2. Insecure Git SSH Configuration: The application used GIT_SSH environment variable to specify the SSH wrapper, which can be overridden more easily than GIT_SSH_COMMAND. This allowed attackers to potentially inject their own SSH commands.

The is_excluded() function in weblate/utils/files.py checks for excluded paths using the PATH_EXCLUDES list, but the validation logic could be circumvented under certain conditions.

Attack Vector

The attack exploits the network-accessible Git configuration mechanism in Weblate. An attacker can craft malicious requests that manipulate how the application handles Git operations:

  1. The attacker identifies a Weblate instance accessible over the network
  2. By exploiting the path validation weakness, malicious configuration files can be introduced
  3. The attacker overrides Git behavior by manipulating the SSH command configuration
  4. This can lead to unauthorized repository access, data manipulation, or command execution
python
# Security patch in weblate/trans/backups.py
# Source: https://github.com/WeblateOrg/weblate/commit/4837a4154390f7c1d03c0e398aa6439dcfa361b4

            self.load_memory(zipfile)
            self.load_components(zipfile)
            for name in zipfile.namelist():
-                validate_filename(name)
+                validate_filename(name, check_prohibited=False)

    def restore_unit(
        self,
python
# Security patch in weblate/vcs/base.py - Fixed SSH command configuration
# Source: https://github.com/WeblateOrg/weblate/commit/dd8c9d7b00eebe28770fa0e2cd96126791765ea7

            # Avoid Git traversing outside the data dir
            "GIT_CEILING_DIRECTORIES": data_path("vcs").as_posix(),
            # Use ssh wrapper
-            "GIT_SSH": SSH_WRAPPER.filename.as_posix(),
+            "GIT_SSH_COMMAND": SSH_WRAPPER.filename.as_posix(),
            "SVN_SSH": SSH_WRAPPER.filename.as_posix(),
        }
        if environment:

Detection Methods for CVE-2025-68398

Indicators of Compromise

  • Unexpected modifications to Git configuration files in Weblate data directories
  • Unusual SSH connection attempts originating from the Weblate server to unknown hosts
  • Modified or newly created files in the .git/config within repository directories
  • Anomalous backup restoration operations in application logs

Detection Strategies

  • Monitor Weblate application logs for backup restoration events with suspicious filenames containing path traversal sequences
  • Implement file integrity monitoring on Git configuration files within Weblate's data directory
  • Review network connections from the Weblate server for unexpected SSH traffic to unknown destinations
  • Audit the GIT_SSH and GIT_SSH_COMMAND environment variables for unauthorized modifications

Monitoring Recommendations

  • Enable detailed logging for all Git operations within Weblate and forward logs to SIEM solutions
  • Set up alerts for any changes to files matching .git/* patterns in monitored directories
  • Implement network segmentation to limit outbound SSH connections from Weblate servers
  • Deploy SentinelOne agents on Weblate hosts to detect suspicious process execution and file modifications

How to Mitigate CVE-2025-68398

Immediate Actions Required

  • Upgrade Weblate to version 5.15.1 or later immediately
  • Review Git repository configurations for any unauthorized modifications
  • Audit backup restoration logs for suspicious activity
  • Restrict network access to Weblate instances using firewall rules until patching is complete

Patch Information

The vulnerability has been fixed in Weblate version 5.15.1. The security patches address both the path validation issue and the Git SSH command configuration weakness:

For detailed information, refer to the Weblate Security Advisory GHSA-8vcg-cfxj-p5m3.

Workarounds

  • Temporarily disable backup restoration functionality if upgrading is not immediately possible
  • Implement strict network access controls to limit who can reach the Weblate web interface
  • Place Weblate behind a Web Application Firewall (WAF) with rules to block suspicious file path patterns
  • Monitor and restrict environment variable modifications on the Weblate server
bash
# Configuration example - Restrict network access to Weblate
# Add firewall rules to limit access to trusted IPs only

# Using iptables to restrict access to Weblate port
iptables -A INPUT -p tcp --dport 443 -s trusted_network/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

# Alternatively, use nginx to restrict access
# In nginx.conf server block:
# allow 192.168.1.0/24;
# deny all;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.