Vaultwarden WebAuthn Backup Flag Tampering Vulnerability Allowing Denial-of-Service

A vulnerability in Vaultwarden, a Bitwarden-compatible server written in Rust, allows for persistent tampering of WebAuthn credential backup metadata in versions through 1.35.4. The issue arises because the WebAuthn authentication process updates credential flags based on unverified data before validating signatures. An attacker who knows a user's password but cannot provide a valid WebAuthn signature can exploit this flaw to permanently alter the backup eligibility and state flags of the user's credential. As a result, WebAuthn two-factor authentication becomes permanently disabled for the affected credentials, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a permanent denial-of-service condition for WebAuthn two-factor authentication on affected credentials.

Reproduction

To reproduce this vulnerability, log into a user account with a registered WebAuthn credential. During the login process, when prompted for WebAuthn two-factor authentication, submit a response that includes a raw ID matching one of the registered credentials. Tamper the response to set the Backup Eligible flag to true, while ensuring the signature remains invalid. Authentication will fail, but the server will incorrectly update the credential metadata to reflect the tampering, creating a persistent issue.

Remediation

Users can upgrade to Vaultwarden version 1.35.5, which addresses this vulnerability.