Weblate Repository URL Validation Vulnerability in Project Backup Import

A vulnerability in Weblate prior to version 5.17.1 allows authenticated users with project.add permission to import a manipulated project backup ZIP. This ZIP can contain a components/<name>.json file with an attacker-selected repository URL that points to a private address or uses a non-allow-listed scheme. The vulnerability arises because Weblate's component import process bypasses essential URL validation, allowing invalid or harmful URLs to be written directly into the project's Git configuration. This issue has been addressed in Weblate version 5.17.1.

Impact

Exploitation of this vulnerability could lead to an authenticated server-side request forgery (SSRF) condition, where the Weblate application makes requests to internal services or resources based on the attacker's input. Additionally, according to Weblate, this vulnerability could allow for repository URL validation bypass, potentially leading to other impacts depending on the specific URL used.

Reproduction

To reproduce this vulnerability, an authenticated user with project.add permission can create a project backup that includes a components/<name>.json file. This file should contain a repository URL that either points to a private address, such as http://127.0.0.1:9999/, or uses a non-allow-listed scheme like file:// or git://. Once this backup is created, it can be imported into Weblate, which will restore the project component without validating the repository URL. After the import, the component's repository URL can be found in the project's Git configuration, where it was written verbatim without proper validation.

Remediation

Users can update to Weblate version 5.17.1 or later, where this vulnerability has been patched.