CVE-2024-55225: 
Rust vulnerability analysis and mitigation

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request. The vulnerability was discovered in October 2024 and publicly disclosed in November 2024 after fixes were implemented (INSINUATOR).

The vulnerability exists in the login endpoint /identity/connect/token which handles multiple login methods. The issue stems from insufficient validation in the passwordlogin function where auth requests were not properly linked to users. An attacker could create an auth request for one user and use it to log in as another user since the auth request was only looked up by UUID with no verification of user association. The vulnerability has a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to read, write, and delete user data. While encrypted key material cannot be directly accessed without the original password, attackers within an organization could potentially escalate privileges to access all key material since organization master keys are shared. This enables full access to organizational data that should be restricted (INSINUATOR).

The issue was initially addressed in version 1.32.4 by adding device verification, but this fix was incomplete. Version 1.32.5 fully resolved the vulnerability by implementing proper validation that auth requests belong to the user attempting to log in and requiring approval from the authenticated user. Users are strongly recommended to upgrade to version 1.32.5 or later (GITHUB_RELEASE).

The Vaultwarden team responded quickly to the vulnerability disclosure and worked to implement fixes. The German Federal Office for Information Security (BSI) had previously conducted security testing of Vaultwarden, highlighting the ongoing security focus for this password management solution (INSINUATOR).