MEDIUM 4.9

GHSA-57jg-m997-cx3q

Weblate lacks rate limiting when verifying second factor

상세

### Impact

The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.

### Patches

This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.

### References

Thanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / weblate

최초 영향 버전: 0 수정 버전: 5.12

수정 pip install --upgrade 'weblate>=5.12'

참고

https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-47951 [ADVISORY]
https://github.com/WeblateOrg/weblate/pull/14918 [WEB]
https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384 [WEB]
https://hackerone.com/reports/3150564 [WEB]
https://github.com/WeblateOrg/weblate [PACKAGE]
https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1 [WEB]