VYPR
← All advisories
Critical severityOSV Advisory· Published Dec 18, 2025· Updated Feb 6, 2026

Weblate has git config file overwrite vulnerability that leads to remote code execution

CVE-2025-68398

Description

Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
WeblatePyPI
< 5.15.15.15.1

Affected products

1

Patches

2
dd8c9d7b00ee

fix(vcs): use GIT_SSH_COMMAND to override ssh command

https://github.com/WeblateOrg/weblateMichal ČihařDec 17, 2025via ghsa
commit
1 file changed · +1 1
  • weblate/vcs/base.py+1 1 modified
    @@ -190,7 +190,7 @@ def _getenv(environment: dict[str, str] | None = None) -> dict[str, str]:
             # Avoid Git traversing outside the data dir
             "GIT_CEILING_DIRECTORIES": data_path("vcs").as_posix(),
             # Use ssh wrapper
-            "GIT_SSH": SSH_WRAPPER.filename.as_posix(),
+            "GIT_SSH_COMMAND": SSH_WRAPPER.filename.as_posix(),
             "SVN_SSH": SSH_WRAPPER.filename.as_posix(),
         }
         if environment:
4837a4154390

fix(validators): reject certain paths from being used

https://github.com/WeblateOrg/weblateMichal ČihařDec 16, 2025via ghsa
commit
4 files changed · +16 3
  • weblate/trans/backups.py+1 1 modified
    @@ -550,7 +550,7 @@ def validate(self) -> None:
             self.load_memory(zipfile)
             self.load_components(zipfile)
             for name in zipfile.namelist():
-                validate_filename(name)
+                validate_filename(name, check_prohibited=False)
 
     def restore_unit(
         self,
  • weblate/utils/files.py+1 1 modified
    @@ -90,7 +90,7 @@ def should_skip(location):
     )
 
 
-def is_excluded(path):
+def is_excluded(path: str) -> bool:
     """Whether path should be excluded from zip extraction."""
     return any(exclude in f"/{path}/" for exclude in PATH_EXCLUDES) or ".." in path
  • weblate/utils/tests/test_validators.py+10 0 modified
    @@ -139,6 +139,16 @@ def test_simplification(self) -> None:
     def test_empty(self) -> None:
         validate_filename("")
 
+    def test_prohibited(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename(".git/config")
+        validate_filename(".git/config", check_prohibited=False)
+
+    def test_prohibited_subdir(self) -> None:
+        with self.assertRaises(ValidationError):
+            validate_filename("path/.git/config")
+        validate_filename("path/.git/config", check_prohibited=False)
+
 
 class RegexTest(SimpleTestCase):
     def test_empty(self) -> None:
  • weblate/utils/validators.py+4 1 modified
    @@ -33,6 +33,7 @@
 from weblate.trans.util import cleanup_path
 from weblate.utils.const import WEBHOOKS_SECRET_PREFIX
 from weblate.utils.data import data_dir
+from weblate.utils.files import is_excluded
 
 USERNAME_MATCHER = re.compile(r"^[\w@+-][\w.@+-]*$")
 
@@ -238,7 +239,7 @@ def validate_plural_formula(value) -> None:
         ) from error
 
 
-def validate_filename(value) -> None:
+def validate_filename(value: str, *, check_prohibited: bool = True) -> None:
     if "../" in value or "..\\" in value:
         raise ValidationError(
             gettext("The filename can not contain reference to a parent directory.")
@@ -254,6 +255,8 @@ def validate_filename(value) -> None:
                 "Maybe you want to use: {}"
             ).format(cleaned)
         )
+    if check_prohibited and is_excluded(cleaned):
+        raise ValidationError(gettext("The filename contains a prohibited folder."))
 
 
 def validate_backup_path(value: str) -> None:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.