CVE-2025-32021: VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext

April 15, 2025

When creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client’s URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to the logs in plaintext.

The problematic URL in question is of this form:

References

github.com/WeblateOrg/weblate
github.com/WeblateOrg/weblate/releases/tag/weblate-5.11
github.com/WeblateOrg/weblate/security/advisories/GHSA-m67m-3p5g-cw9j
github.com/advisories/GHSA-m67m-3p5g-cw9j
nvd.nist.gov/vuln/detail/CVE-2025-32021

Code Behaviors & Features

Detect and mitigate CVE-2025-32021 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →