vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0.
                
            Metrics
Affected Vendors & Products
References
        History
                    Wed, 20 Aug 2025 14:30:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Dani-garcia Dani-garcia vaultwarden | |
| CPEs | cpe:2.3:a:dani-garcia:vaultwarden:*:*:*:*:*:*:*:* | |
| Vendors & Products | Dani-garcia Dani-garcia vaultwarden | 
Wed, 16 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Mon, 27 Jan 2025 18:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0. | |
| Title | vaultwarden allows RCE in the admin panel | |
| Weaknesses | CWE-74 | |
| References |  | |
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-01-27T17:46:15.260Z
Updated: 2025-02-12T20:41:36.200Z
Reserved: 2025-01-20T15:18:26.990Z
Link: CVE-2025-24364
 Vulnrichment
                        Vulnrichment
                    No data.
 NVD
                        NVD
                    Status : Analyzed
Published: 2025-01-27T18:15:41.690
Modified: 2025-08-20T14:16:53.340
Link: CVE-2025-24364
 Redhat
                        Redhat
                    No data.
 ReportizFlow
ReportizFlow