Unrated severityNVD Advisory· Published Jan 27, 2025· Updated Feb 12, 2025

vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait

CVE-2025-24365

Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an unprivileged user) and be the owner/admin of other organization (by default you can create your own organization) in order to attack. This vulnerability is fixed in 1.33.0.

Affected products

Dani Garcia/Vaultwardenv5
Range: < 1.33.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/dani-garcia/vaultwarden/releases/tag/1.33.0mitrex_refsource_MISC
github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000