CVE-2024-55224
📋 TL;DR
An HTML injection vulnerability in Vaultwarden allows attackers to inject malicious HTML/JavaScript into the username field of email messages. This could lead to arbitrary code execution when the email is viewed. All Vaultwarden instances prior to version 1.32.5 are affected.
💻 Affected Systems
- Vaultwarden
📦 What is this software?
Vaultwarden by Dani Garcia
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary code on the server, potentially compromising the entire Vaultwarden instance and accessing all stored passwords and sensitive data.
Likely Case
Attackers could perform cross-site scripting attacks, steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, the injected HTML would be rendered harmless as plain text.
🎯 Exploit Status
Exploitation requires the ability to create or modify user accounts with crafted usernames, which typically requires some level of access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.32.5
Vendor Advisory: https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5
Restart Required: Yes
Instructions:
1. Backup your Vaultwarden data. 2. Stop the Vaultwarden service. 3. Update to version 1.32.5 or later using your preferred method (Docker, package manager, manual). 4. Restart the Vaultwarden service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable email notifications
allTemporarily disable email functionality to prevent exploitation via the vulnerable email component
Set SMTP_ENABLED=false in your Vaultwarden configuration
Input validation at proxy level
allConfigure web application firewall or reverse proxy to block HTML/JavaScript in username fields
🧯 If You Can't Patch
- Implement strict input validation for all user-controlled fields, especially usernames
- Deploy a web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your Vaultwarden version is below 1.32.5Check Version:
docker exec vaultwarden vaultwarden --version or check the web interface footerVerify Fix Applied:
Confirm version is 1.32.5 or higher and test that HTML injection in username field no longer executes📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript patterns in username fields
- Multiple failed login attempts with suspicious usernames
Network Indicators:
- HTTP requests containing HTML/JavaScript in username parameters
- Unusual email sending patterns
SIEM Query:
source="vaultwarden" AND (username CONTAINS "<script>" OR username CONTAINS "javascript:" OR username CONTAINS "onerror=")