CVE-2025-24365 HIGH

CVE-2025-24365: vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait

Vendor Dani-Garcia

Product vaultwarden

Weakness CWE-284

Published January 27, 2025

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of the organization as an unprivileged user) and be the owner/admin of other organization (by default you can create your own organization) in order to attack. This vulnerability is fixed in 1.33.0.

Key dates

02Disclosure timeline

January 27, 2025 CVE published

February 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-24365 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2025-24365: vaultwarden allows escalation of privilege via variable confusion in OrgHeaders trait

01Description

02Disclosure timeline

03References

04Related CVE