CVE-2024-55224: 
Rust vulnerability analysis and mitigation

An HTML injection vulnerability was discovered in Vaultwarden versions prior to v1.32.5, identified as CVE-2024-55224. The vulnerability allows attackers to execute arbitrary code by injecting a crafted payload into the username field of an e-mail message. The issue was discovered during a security audit and was fixed in version 1.32.5 released in November 2024 (Vaultwarden Release).

The vulnerability exists in the email template system where usernames are included in emergency access invites. When a manipulated username is included in the mail template, it is not properly escaped, allowing attackers to add a body separator and inject custom HTML content. The vulnerability has been assigned a CVSS 3.1 base score of 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) (NVD Database).

The vulnerability allows attackers to inject arbitrary HTML code into email messages, which could be used to execute malicious scripts when the email is viewed by recipients. This could potentially lead to unauthorized access to user data or further system compromise (Insinuator Report).

Users are strongly recommended to upgrade to Vaultwarden version 1.32.5 or later, which contains the fix for this vulnerability. The update properly implements input sanitization for usernames in email templates (Vaultwarden Release).