Cyber Resilience

CVE-2025-32021

LowPublic PoC

Published: 15 April 2025

Published
15 April 2025
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 2.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0026 49.6th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32021 is a low-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Weblate Weblate. Its CVSS base score is 2.2 (Low).

Operationally, ranked at the 49.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Weblate is a web based localization tool. Prior to version 5.11, when creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during…

more

the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to logs in plaintext. If using Weblate official Docker image, nginx logs the URL and the token in plaintext. This issue is patched in version 5.11.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

weblate
weblate
≤ 5.11

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-598

Protects sensitive data placed in query strings from interception in transit when confidentiality controls like HTTPS are enforced.

References