Bitwarden
Heads Up: Bogus CVE assigned to Bitwarden #14943
Replies: 3 comments 1 reply
-
|
✨ Thank you for your code contribution proposal! While the Bitwarden team reviews your submission, we encourage you to check out our contribution guidelines. Please ensure that your code contribution includes a detailed description of what you would like to contribute, along with any relevant screenshots and links to existing feature requests. This information helps us gather feedback from the community and Bitwarden team members before you start writing code. To keep discussions focused, posts that do not include a proposal for a code contribution will be removed.
Thank you for contributing to Bitwarden! |
Beta Was this translation helpful? Give feedback.
-
|
Hi there, and thanks for sharing! Closing this one out for now, as the details have been passed along to the team. |
Beta Was this translation helpful? Give feedback.
-
@uedvt359 FYI, Bitwarden released Web Vault version 2.25.1 on Jan. 6, 2022; it was superseded by version 2.26.0 on Feb. 8, 2022, and has been deprecated for over three years. However, the Proof-of-Concept by user "YZS17" used the Vaultwarden release, which is a modified version of the official Web Vault app. Specifically, the Proof-of-Concept appears to be based on Vaultwarden 1.24.0 (released Jan. 30, 2022), which is the only Vaultwarden server version that included version 2.25.1 on the modified Web Vault app.
Earlier version of the Bitwarden Web Vault client did have the capability to open PDF files for inline viewing in a separate browser tab, so it is possible that in early 2022, the PDF contents were displayed instead of just being downloaded (which is the current behavior). I don't know whether there was ever a XSS vulnerability in the official Bitwarden Web Vault client, since this has not been demonstrated in the published Proof-of-Concept. Regardless, up-to-date versions of Bitwarden (which simply download the attachments) would not have any such vulnerability, as you have noted. |
Beta Was this translation helpful? Give feedback.
-
|
ah, thanks for digging deeper. i didn't even think to check the legacy 'web' repository (just 'clients') and completely missed the 'powerered by vaultwarden' in the lower left of some of the screenshots. i still think this vuln report is bogus, even w.r.t. vaultvarden and/or this ancient version: you can see in their own screenshot that the pdf is not opened inline, but in a separate window and from a blob: uri and (at least in my limited understanding) therefore still in a seperate js context. what they would have to show for proof is that the pdf has access to also, not that it matters any more, but the version numbers still don't make sense: it says (c) 2025, but for a version apparently released in 2022, and at least one screenshot shows v2024.1. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
✅ Code Contribution Proposal
Code Contribution Proposal
It appears somebody has coaxed the CNA 'VulDB' into assigning CVE-2025-5138 to a bogus security claim.
The writeup claims that PDFs that contain javascript are a XSS vector to bitwarden when added as attachment to a password. This is not so, the PDF simply gets downloaded and then opened by the browser in a seperate JS-context - no XSS possible.
Additionally, the claimed vulnerable version number is 2.25.1 - I was unable to find this anywhere; after v1.5.x BW seems to have switched to date-based releases (e.g. 2022.05). The web UI also looks like a rather old version, not the current 2025 iteration (not that it matters, as the vuln is not real).
This has already (and obviously) been picked up by the vulnerability management
circuscompanies and is making the rounds in various companies' bug trackers by now. I'm posting this here in hopes to reduce burden on the bitwarden support team.Beta Was this translation helpful? Give feedback.
All reactions