High severity7.7OSV Advisory· Published Sep 19, 2025· Updated Apr 15, 2026
CVE-2025-59344
CVE-2025-59344
Description
AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows <link rel="icon" href="…">. Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.
Affected products
1- Range: 0.1.0, 0.10.0, 0.10.1, …
Patches
2e5c68c6c6e06Bump version to 0.23.1 (#1227)
9 files changed · +15 −15
apps/browser-extension/package.json+1 −1 modified@@ -2,7 +2,7 @@ "name": "aliasvault-browser-extension", "description": "AliasVault Browser Extension", "private": true, - "version": "0.23.0", + "version": "0.23.1", "type": "module", "scripts": { "dev:chrome": "wxt -b chrome",
apps/browser-extension/safari-xcode/AliasVault/AliasVault.xcodeproj/project.pbxproj+4 −4 modified@@ -460,7 +460,7 @@ "@executable_path/../../../../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 10.14; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "-framework", SafariServices, @@ -492,7 +492,7 @@ "@executable_path/../../../../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 10.14; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "-framework", SafariServices, @@ -530,7 +530,7 @@ "@executable_path/../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 10.14; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "-framework", SafariServices, @@ -569,7 +569,7 @@ "@executable_path/../Frameworks", ); MACOSX_DEPLOYMENT_TARGET = 10.14; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "-framework", SafariServices,
apps/browser-extension/src/utils/AppInfo.ts+1 −1 modified@@ -6,7 +6,7 @@ export class AppInfo { /** * The current extension version. This should be updated with each release of the extension. */ - public static readonly VERSION = '0.23.0'; + public static readonly VERSION = '0.23.1'; /** * The minimum supported AliasVault server (API) version. If the server version is below this, the
apps/browser-extension/wxt.config.ts+1 −1 modified@@ -20,7 +20,7 @@ export default defineConfig({ return { name: "AliasVault", description: "AliasVault Browser AutoFill Extension. Keeping your personal information private.", - version: "0.23.0", + version: "0.23.1", content_security_policy: { extension_pages: "script-src 'self' 'wasm-unsafe-eval'; object-src 'self';" },
apps/mobile-app/android/app/build.gradle+1 −1 modified@@ -94,7 +94,7 @@ android { minSdkVersion rootProject.ext.minSdkVersion targetSdkVersion rootProject.ext.targetSdkVersion versionCode 230000 - versionName "0.23.0" + versionName "0.23.1" } signingConfigs { debug {
apps/mobile-app/app.json+1 −1 modified@@ -2,7 +2,7 @@ "expo": { "name": "AliasVault", "slug": "AliasVault", - "version": "0.23.0", + "version": "0.23.1", "orientation": "portrait", "icon": "./assets/images/icon.png", "scheme": "net.aliasvault.app",
apps/mobile-app/ios/AliasVault.xcodeproj/project.pbxproj+4 −4 modified@@ -1218,7 +1218,7 @@ "$(inherited)", "@executable_path/Frameworks", ); - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "$(inherited)", "-ObjC", @@ -1253,7 +1253,7 @@ "$(inherited)", "@executable_path/Frameworks", ); - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; OTHER_LDFLAGS = ( "$(inherited)", "-ObjC", @@ -1863,7 +1863,7 @@ "@executable_path/../../Frameworks", ); LOCALIZATION_PREFERS_STRING_CATALOGS = YES; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE; MTL_FAST_MATH = YES; OTHER_SWIFT_FLAGS = "$(inherited) -D EXPO_CONFIGURATION_DEBUG"; @@ -1908,7 +1908,7 @@ "@executable_path/../../Frameworks", ); LOCALIZATION_PREFERS_STRING_CATALOGS = YES; - MARKETING_VERSION = 0.23.0; + MARKETING_VERSION = 0.23.1; MTL_FAST_MATH = YES; OTHER_SWIFT_FLAGS = "$(inherited) -D EXPO_CONFIGURATION_RELEASE"; PRODUCT_BUNDLE_IDENTIFIER = net.aliasvault.app.autofill;
apps/mobile-app/utils/AppInfo.ts+1 −1 modified@@ -8,7 +8,7 @@ export class AppInfo { /** * The current mobile app version. This should be updated with each release of the mobile app. */ - public static readonly VERSION = '0.23.0'; + public static readonly VERSION = '0.23.1'; /** * The minimum supported AliasVault server (API) version. If the server version is below this, the
apps/server/Shared/AliasVault.Shared.Core/AppInfo.cs+1 −1 modified@@ -30,7 +30,7 @@ public static class AppInfo /// <summary> /// Gets the patch version number. /// </summary> - public const int VersionPatch = 0; + public const int VersionPatch = 1; /// <summary> /// Gets the minimum supported AliasVault client version. Normally the minimum client version is the same
58c39815e4c8Add more browser like behavior to improve FaviconExtractor success rate (#1225)
2 files changed · +59 −9
apps/server/AliasVault.Client/AliasVault.Client.csproj+0 −1 modified@@ -94,7 +94,6 @@ <ProjectReference Include="..\Shared\AliasVault.Shared\AliasVault.Shared.csproj" /> <ProjectReference Include="..\Utilities\Cryptography\AliasVault.Cryptography.Client\AliasVault.Cryptography.Client.csproj" /> <ProjectReference Include="..\Utilities\AliasVault.ImportExport\AliasVault.ImportExport.csproj" /> - <ProjectReference Include="..\Utilities\AliasVault.FaviconExtractor\AliasVault.FaviconExtractor.csproj" /> <ProjectReference Include="..\Utilities\AliasVault.TotpGenerator\AliasVault.TotpGenerator.csproj" /> <ServiceWorker Include="wwwroot\service-worker.js" PublishedContent="wwwroot\service-worker.published.js" /> <ServiceWorker Include="wwwroot\service-worker.published.js">
apps/server/Utilities/AliasVault.FaviconExtractor/FaviconExtractor.cs+59 −8 modified@@ -26,7 +26,7 @@ public static class FaviconExtractor private static readonly string[] _allowedSchemes = { "http", "https" }; /// <summary> - /// Extracts the favicon from a URL. + /// Extracts the favicon from a URL with enhanced browser like behavior. /// </summary> /// <param name="url">The URL to extract the favicon for.</param> /// <returns>Byte array for favicon image.</returns> @@ -204,26 +204,64 @@ private static async Task<HtmlNodeCollection[]> GetFaviconNodesFromHtml(HttpResp } /// <summary> - /// Creates a new HTTP client with basic configuration. + /// Creates a new HTTP client with enhanced browser-like configuration to handle bot protection. /// </summary> /// <returns>The HTTP client.</returns> private static HttpClient CreateHttpClient() { var handler = new HttpClientHandler { AllowAutoRedirect = false, // Handle redirects manually + UseCookies = true, // Enable cookie handling for session management + CookieContainer = new System.Net.CookieContainer(), + AutomaticDecompression = System.Net.DecompressionMethods.GZip | System.Net.DecompressionMethods.Deflate | System.Net.DecompressionMethods.Brotli, }; var client = new HttpClient(handler) { - Timeout = TimeSpan.FromSeconds(5), + Timeout = TimeSpan.FromSeconds(5), // Keep original timeout }; - client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"); - client.DefaultRequestHeaders.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); - client.DefaultRequestHeaders.Add("Accept-Language", "en-US,en;q=0.5"); - client.DefaultRequestHeaders.Add("Connection", "keep-alive"); + var random = new Random(); + var userAgents = new[] + { + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", + "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0", + }; + + // Use random User-Agent + client.DefaultRequestHeaders.Add("User-Agent", userAgents[random.Next(userAgents.Length)]); + + // More comprehensive Accept header with image types prioritized + client.DefaultRequestHeaders.Add( + "Accept", + "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"); + + // Additional browser-like headers + client.DefaultRequestHeaders.Add("Accept-Language", "en-US,en;q=0.9"); + client.DefaultRequestHeaders.Add("Accept-Encoding", "gzip, deflate, br"); + client.DefaultRequestHeaders.Add("DNT", "1"); client.DefaultRequestHeaders.Add("Upgrade-Insecure-Requests", "1"); + client.DefaultRequestHeaders.Add("Cache-Control", "max-age=0"); + + // Add Sec-Fetch headers to mimic modern browsers + if (random.Next(2) == 0) + { + client.DefaultRequestHeaders.Add("Sec-Fetch-Dest", "document"); + client.DefaultRequestHeaders.Add("Sec-Fetch-Mode", "navigate"); + client.DefaultRequestHeaders.Add("Sec-Fetch-Site", "none"); + client.DefaultRequestHeaders.Add("Sec-Fetch-User", "?1"); + } + + // Add Chrome-specific headers randomly + if (random.Next(3) == 0) + { + client.DefaultRequestHeaders.Add("Sec-CH-UA", "\"Not_A Brand\";v=\"8\", \"Chromium\";v=\"120\", \"Google Chrome\";v=\"120\""); + client.DefaultRequestHeaders.Add("Sec-CH-UA-Mobile", "?0"); + client.DefaultRequestHeaders.Add("Sec-CH-UA-Platform", "\"Windows\""); + } return client; } @@ -291,7 +329,20 @@ private static bool IsValidUri(Uri uri) while (redirectCount < maxRedirects) { - var response = await client.GetAsync(currentUri); + // Create request with referer header to appear more browser-like + var request = new HttpRequestMessage(HttpMethod.Get, currentUri); + if (redirectCount == 0) + { + // First request - add Google referer to appear like navigation + request.Headers.Add("Referer", "https://www.google.com/"); + } + else + { + // Subsequent redirects - use original URL as referer + request.Headers.Add("Referer", uri.ToString()); + } + + var response = await client.SendAsync(request); if ((int)response.StatusCode >= 300 && (int)response.StatusCode < 400) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.