CVE-2025-64725 is a vulnerability identified in the Weblate localization platform, specifically affecting versions prior to 5.15. The issue is categorized under CWE-286, which relates to incorrect user management and access control. The vulnerability allows an attacker or another user to accept an invitation that was originally sent to a different user. This occurs because the system does not properly verify the identity of the user accepting the invitation, leading to potential unauthorized acceptance. The flaw requires that the invitation page be left open in a session unattended by the legitimate user, and the attacker must have local access to the session or device. The CVSS 4.0 score is 1.0, reflecting low severity due to the requirement for local access, user interaction, and the limited scope of impact on confidentiality, integrity, and availability. The vulnerability does not allow privilege escalation or direct data compromise but could lead to unauthorized account linkage or access within the Weblate platform. The issue was patched in Weblate version 5.15, and users are advised to upgrade. As a temporary workaround, users should avoid leaving invitation pages open in unattended sessions to prevent exploitation.

For European organizations using Weblate for localization management, this vulnerability poses a limited but tangible risk. Unauthorized acceptance of invitations could lead to unauthorized users gaining access to translation projects or sensitive localization data, potentially impacting confidentiality and integrity of localized content. While the direct impact is low, in environments where localization data is sensitive or tied to intellectual property, this could have reputational or operational consequences. The requirement for local access and user interaction reduces the likelihood of widespread exploitation, but insider threats or compromised workstations could leverage this vulnerability. Organizations with shared workstations or remote desktop environments are at higher risk if sessions are left unattended. The impact on availability is negligible. Overall, the vulnerability could facilitate unauthorized collaboration or data exposure within the Weblate platform, which may affect compliance with data protection regulations if sensitive data is involved.

The primary mitigation is to upgrade Weblate installations to version 5.15 or later, where the vulnerability is patched. Until the upgrade can be performed, organizations should implement strict session management policies, including educating users not to leave invitation pages open in unattended sessions. Enforce automatic session timeouts and screen locking on devices used to access Weblate to prevent unauthorized local access. Additionally, restrict physical and remote access to workstations where Weblate is accessed, and monitor user activity for unusual acceptance of invitations. Consider implementing multi-factor authentication (MFA) for Weblate accounts to add an additional layer of security. Regularly audit user invitations and access logs to detect any unauthorized acceptance events. Finally, integrate Weblate access within broader identity and access management (IAM) frameworks to ensure consistent user verification.