Trilium Notes Brute-Force Protection Bypass Vulnerability

A brute-force protection bypass vulnerability has been identified in Trilium Notes versions prior to 0.97.0. This issue allows unauthenticated attackers to guess login passwords through the initial sync seed retrieval endpoint, bypassing rate limiting measures. Trilium Notes is a single-user application that does not require a username, making this vulnerability particularly concerning. The lack of a strong password policy further exacerbates the issue, as passwords can be very simple. Additionally, features like multi-factor authentication and note sharing suggest that Trilium can be exposed to the internet.

Impact

Exploitation of this vulnerability allows for password guessing without triggering rate limits, potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/setup/sync-seed' endpoint. Include a base64-encoded 'trilium-cred' header with the payload formatted as ':<password>'. This can be automated using a brute-force script that tests multiple passwords in parallel.

Remediation

Users are advised to upgrade to Trilium Notes version 0.97.0 or later, where this vulnerability has been patched.