Vaultwarden Arbitrary Code Execution Vulnerability in Admin Panel

A vulnerability allowing authenticated users to execute arbitrary code on the system has been identified in Vaultwarden, an unofficial Bitwarden-compatible server written in Rust. This issue arises in versions through 1.32.7. An attacker with access to the Vaultwarden admin panel could exploit this vulnerability by embedding commands into a crafted favicon image, which would be executed during the sending of a test email via a manipulated mail agent setting. The vulnerability has been patched in version 1.33.0.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Vaultwarden is running.

Reproduction

To reproduce this vulnerability, an authenticated user must access the Vaultwarden admin panel. Once there, they can change the mail agent settings to use sendmail, but with a configuration that executes a shell command instead. Afterward, the user must create a favicon image that includes the embedded commands and upload it to a remote server. The image should be named 'apple-touch-icon.png' or 'favicon.ico' and served from the remote server. Then, a request can be made to download the image through the Vaultwarden host, which will trigger the execution of the embedded commands via the admin panel's SMTP test email feature.

Remediation

Users are advised to update Vaultwarden to version 1.33.0, where this vulnerability has been fixed.