Vaultwarden Brute-Force Protection Bypass Vulnerability

A vulnerability exists in Vaultwarden versions prior to 1.35.4 that allows attackers to bypass login brute-force protection when email two-factor authentication (2FA) is enabled. The issue arises because the unprotected 2FA function 'send_email_login' can be exploited to determine the validity of username-password combinations. This exploitation enables password brute-forcing without rate limits, affecting even users without email 2FA configured.

Impact

Exploitation of this vulnerability allows for password brute-forcing without the usual rate limits, potentially leading to unauthorized access.

Reproduction

To reproduce this vulnerability, enable email two-factor authentication on a Vaultwarden account. Then, use the 'send_email_login' API endpoint to test various username-password combinations. If a combination is correct, the endpoint will return a status code 200 and send a 2FA code via email. If incorrect, it will respond with a message indicating the error. This process can be automated with a script that cycles through password guesses, taking advantage of the lack of rate limiting.

Remediation

Users are advised to update Vaultwarden to version 1.35.4 or later.