Weaviate security release - Medium and High severity fixes for CVE-2025-67818 and CVE-2025-67819

Security patches have been released for Weaviate versions 1.30.x to 1.33.x, addressing two path traversal vulnerabilities identified as CVE-2025-67818 and CVE-2025-67819. The high severity CVE-2025-67818 affects the backup modules and allows attackers to create or overwrite files within Weaviate's privilege scope using symbolic links or path segments, prompting users to update their installations or disable the backup modules. The medium severity CVE-2025-67819 impacts the shard movement module, potentially letting attackers read arbitrary files through malicious fileName parameters, although this vulnerability requires the shard movement API to be in "Pause file activity" state and can be mitigated by disabling the API. Weaviate Cloud and Marketplace customers have already received these security patches, while Weaviate Enterprise Support customers received early notification. These vulnerabilities were reported by a researcher named soohyun, and Weaviate encourages the responsible disclosure of security issues through their Vulnerability Disclosure Program.