CVE-2025-47951 is a medium-severity vulnerability affecting Weblate, a web-based localization tool widely used for collaborative translation management. The vulnerability arises from improper restriction of excessive authentication attempts (CWE-307) specifically targeting the second factor authentication (2FA) verification endpoint. Prior to version 5.12, Weblate did not implement rate limiting on the 2FA verification process. This omission allows an attacker who has already obtained valid user credentials (username and password) to automate repeated attempts to guess the one-time password (OTP) used in the second factor. Because the 2FA endpoint lacks throttling or lockout mechanisms, an attacker can perform brute-force or enumeration attacks against the OTP, increasing the likelihood of bypassing the second factor protection. The vulnerability does not require user interaction beyond possessing valid credentials, and it can be exploited remotely over the network. The CVSS v3.1 score of 4.9 reflects a medium severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), scope changed (S:C), and low impact on confidentiality and integrity (C:L/I:L), with no impact on availability (A:N). The scope change indicates that a successful exploit could affect resources beyond the initially vulnerable component. This vulnerability was patched in Weblate version 5.12 by introducing rate limiting on the second factor verification endpoint to prevent automated OTP guessing. No known exploits are currently reported in the wild. Given that Weblate is often deployed in organizations managing multilingual content and software localization, the vulnerability primarily threatens the integrity and confidentiality of user accounts and the translation data they manage, potentially enabling unauthorized access or manipulation of localized content.

For European organizations using Weblate versions prior to 5.12, this vulnerability poses a risk of unauthorized account access despite the presence of two-factor authentication. Attackers who have compromised or obtained valid credentials can bypass the second factor by brute forcing OTPs without being rate limited, potentially leading to account takeover. This can result in unauthorized modification or leakage of sensitive localization data, which may include proprietary software strings, internal documentation, or customer-facing content. Such compromises could damage the organization's reputation, lead to intellectual property theft, or introduce malicious content into localized software builds. The impact is particularly significant for organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, where integrity and confidentiality of localized content are critical. Additionally, since Weblate is often integrated into CI/CD pipelines for software releases, compromised accounts could be leveraged to inject malicious code or disrupt release processes, indirectly affecting availability and trustworthiness of software products. Although no availability impact is directly associated with this vulnerability, the broader scope change means that attackers might pivot to other systems or escalate privileges after bypassing 2FA. The medium severity rating suggests that while the vulnerability is not trivial to exploit (due to the need for valid credentials and high attack complexity), the potential consequences warrant attention, especially in environments with high-value localization data or regulatory compliance obligations.

1. Immediate Upgrade: Organizations should upgrade Weblate installations to version 5.12 or later, where the vulnerability is patched by implementing rate limiting on the 2FA verification endpoint. 2. Credential Hygiene: Enforce strong password policies and monitor for credential leaks or reuse to reduce the risk of attackers obtaining valid credentials necessary to exploit this vulnerability. 3. Enhanced Monitoring: Implement monitoring and alerting for unusual authentication patterns, such as repeated OTP verification attempts from the same IP or account, to detect brute force attempts early. 4. Network Controls: Restrict access to Weblate administrative and authentication endpoints via IP whitelisting or VPNs where feasible, limiting exposure to potential attackers. 5. Multi-Factor Authentication Alternatives: Consider deploying additional or alternative second factor methods that may be less susceptible to automated guessing, such as hardware tokens or push-based authentication, if supported. 6. Incident Response Preparedness: Develop and test incident response plans that include steps for handling suspected account compromises in Weblate, including forced password resets and session invalidation. 7. Application Layer Protections: If upgrading is delayed, implement external rate limiting or web application firewall (WAF) rules to throttle requests to the 2FA endpoint, mitigating brute force attempts at the network perimeter.