MEDIUM 4.9

GHSA-57jg-m997-cx3q

Weblate lacks rate limiting when verifying second factor

Details

### Impact

The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.

### Patches

This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.

### References

Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / weblate

Introduced in: 0 Fixed in: 5.12

Fix pip install --upgrade 'weblate>=5.12'

References

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-47951 [ADVISORY]
https://github.com/WeblateOrg/weblate/pull/14918 [WEB]
https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384 [WEB]
https://hackerone.com/reports/3150564 [WEB]
https://github.com/WeblateOrg/weblate [PACKAGE]
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1 [WEB]