CVE-2024-55226

Overview

CVE-2024-55226 describes an authenticated reflected cross-site scripting (XSS) vulnerability in Vaultwarden version 1.32.5. The flaw resides in the /api/core/mod.rs component, where user input is improperly sanitized, enabling an attacker who has already authenticated to inject arbitrary JavaScript into a page that is subsequently reflected back to the victim's browser.

Exploitation

Details To exploit this vulnerability, an attacker must first possess valid credentials for the Vaultwarden instance. The attack vector relies on crafting a malicious link or request that includes a payload in a parameter processed by the affected endpoint. When the authenticated victim visits that crafted URL, the payload is reflected and executed in their session context. No further privileges beyond standard user authentication are required, but the attacker must be able to trick an authenticated user into accessing the malicious link.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's authenticated session. This can lead to session hijacking, exfiltration of stored vault credentials, or unauthorized actions performed on behalf of the victim. Given that Vaultwarden is a password management server, the impact of such an attack is severe, potentially exposing all stored secrets of a compromised user.

Mitigation

The vulnerability is fixed in Vaultwarden version 1.32.4 and later releases [2]. Users are strongly advised to upgrade to the latest version. No workarounds have been publicly documented; updating the server software is the recommended course of action. The issue was discovered during a penetration test and disclosed responsibly [1].