Weblate Server-Side Request Forgery Vulnerability in Mercurial VCS Component Creation

A server-side request forgery (SSRF) vulnerability has been identified in Weblate versions prior to 5.15. This issue arises in the Create Component functionality, where the repository URL field is not properly validated. This lack of validation allows users to input arbitrary protocols, hostnames, IP addresses, and local filenames. When the Mercurial version control system is selected, Weblate reveals the full server-side HTTP response for the provided URL. This behavior can be exploited to probe internal services, access local files, and in cloud environments, potentially compromise the entire system by accessing sensitive metadata services.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling attackers to access internal services and local files. In cloud environments, this could lead to credential disclosure and full environment compromise.

Remediation

Users can upgrade to Weblate version 5.15 or remove Mercurial from the VCS_BACKENDS configuration. The Git backend is not affected by this vulnerability.