CVE-2025-32021: 
Python vulnerability analysis and mitigation

Weblate, a web-based localization tool, was found to have a security vulnerability (CVE-2025-32021) prior to version 5.11. When creating a new component from an existing component with a source code repository URL in settings, the URL containing sensitive credentials was exposed in client's URL parameters. This vulnerability was discovered and disclosed in April 2025, affecting all Weblate installations before version 5.11, particularly those using the official Docker image (GitHub Advisory).

The vulnerability occurs during the component creation process where repository URLs, including GitHub credentials such as Personal Access Tokens (PAT) and usernames, are exposed in plaintext within URL parameters. The problematic URL follows the pattern: https:///create/component/vcs/?repo=https%3A%2F%2F%3A%40github.com%2F%2F.git. The issue has a CVSS v3.1 score of 2.2 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N, and is classified as CWE-598 (Use of GET Request Method With Sensitive Query Strings) (GitHub Advisory, NVD).

The exposure of credentials in plaintext could lead to unauthorized access to private repositories containing sensitive source code. The vulnerability is particularly concerning as the credentials are saved in browser history and server logs. Browser extensions with history access permissions could potentially extract these credentials, providing an attack vector for unauthorized repository access (GitHub Advisory).

The vulnerability has been patched in Weblate version 5.11. Users are advised to upgrade to this version or later to address the security issue. The fix prevents the exposure of sensitive credentials in URL parameters and logs (GitHub Release).