CVE-2025-61587 is an open redirect vulnerability affecting Weblate, a web-based localization tool widely used for collaborative translation management. The vulnerability exists in versions 5.13.2 and earlier, specifically when Weblate is configured with the Anubis authentication backend and the REDIRECT_DOMAINS setting is not configured. The issue arises from improper validation of the 'redir' parameter on the legitimate Weblate domain, allowing an attacker to craft URLs that redirect users to arbitrary, attacker-controlled external websites. This can be exploited to conduct phishing attacks by luring users to malicious sites that appear to originate from a trusted domain. Additionally, the redirect can facilitate drive-by downloads by directing victims to URLs hosting malicious payloads, thereby increasing the risk of malware infection. The vulnerability does not require authentication but does require user interaction, as victims must click on the crafted URL. The CVSS 4.0 score is 2.1 (low severity), reflecting limited impact on confidentiality, integrity, and availability, and the ease of exploitation is moderate due to the need for user interaction. The issue is resolved in Weblate version 5.13.3 by properly restricting redirect targets via the REDIRECT_DOMAINS configuration, preventing redirection to untrusted domains.

For European organizations using Weblate for localization and translation workflows, this vulnerability poses a risk primarily to end users who may be redirected to malicious sites, potentially leading to phishing attacks or malware infections. While the direct impact on the Weblate system's confidentiality, integrity, or availability is minimal, the reputational damage and potential compromise of user endpoints can be significant. Organizations in sectors with high reliance on multilingual content management, such as software development firms, multinational corporations, and government agencies, may be targeted to exploit trust in their legitimate Weblate domains. The risk is compounded if attackers use the vulnerability to distribute malware or harvest credentials via social engineering. However, since exploitation requires user interaction and the vulnerability is low severity, the overall threat level is moderate but should not be ignored, especially in environments with sensitive data or regulatory compliance requirements like GDPR.

European organizations should upgrade all Weblate instances to version 5.13.3 or later immediately to eliminate the vulnerability. If upgrading is not immediately feasible, administrators must configure the REDIRECT_DOMAINS setting to explicitly whitelist trusted domains for redirection, thereby preventing open redirects to untrusted sites. Additionally, organizations should implement strict URL filtering and monitoring on their web gateways and email security solutions to detect and block suspicious URLs that exploit this vulnerability. User awareness training should emphasize caution when clicking on URLs, even if they appear to originate from trusted domains. Weblate administrators should audit their authentication backend configurations to ensure Anubis is used securely and review logs for unusual redirect activity. Finally, integrating Weblate with web application firewalls (WAFs) that can detect and block open redirect attempts can provide an additional layer of defense.