CVE-2024-55224

CriticalPublic PoC

Published: 09 January 2025

Published

09 January 2025

Modified

20 June 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0038 59.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

An HTML injection vulnerability in Vaultwarden prior to v1.32.5 allows attackers to execute arbitrary code via injecting a crafted payload into the username field of an e-mail message.

Security Summary

CVE-2024-55224 is an HTML injection vulnerability (CWE-79) in Vaultwarden versions prior to 1.32.5. The flaw enables attackers to execute arbitrary code by injecting a crafted payload into the username field of an email message.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, though it requires user interaction. Successful exploitation achieves high-impact effects on confidentiality, integrity, and availability with a changed scope, earning a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Vaultwarden release notes for versions 1.32.4 and 1.32.5 address the issue, recommending an upgrade to v1.32.5 or later for mitigation. Further details appear in a vulnerability disclosure published on insinuator.net.

Details

CWE(s): CWE-79

Affected Products

dani-garcia

vaultwarden

≤ 1.32.5

References

https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.4
Release Notes · cve@mitre.org
https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.5
Release Notes · cve@mitre.org
https://insinuator.net/2024/11/vulnerability-disclosure-authentication-bypass-in-vaultwarden-versions-1-32-5/
Exploit, Third Party Advisory · cve@mitre.org