CVE-2024-55224

An HTML injection vulnerability exists in Vaultwarden versions prior to v1.32.5. The flaw allows an attacker to inject a crafted payload into the username field of an email message, leading to arbitrary code execution [1]. The root cause lies in insufficient sanitization of user-controlled input when constructing email content.

To exploit this vulnerability, an attacker must have the ability to create or modify a user account with a malicious username containing HTML or JavaScript. No special network position is required beyond normal application access. The payload is then executed when the Vaultwarden server generates and sends an email containing the tainted username, for example during password resets or notification emails.

Successful exploitation could allow an attacker to execute arbitrary code in the context of the application, potentially leading to unauthorized access, data exfiltration, or further compromise of the vault server.

The vulnerability has been patched in Vaultwarden version 1.32.5. Users are strongly advised to upgrade immediately [2]. No workaround is available other than applying the update.