CVE-2024-55225

CVE-2024-55225 is a critical authentication bypass vulnerability (CVSS 3.1 score of 9.8) in the src/api/identity.rs component of Vaultwarden, an open-source Bitwarden-compatible password manager server, affecting versions prior to 1.32.5. The flaw, tied to CWE-276 (Incorrect Default Permissions), enables attackers to impersonate any user, including administrators, by crafting a malicious authorization request. This issue was publicly disclosed on January 9, 2025.

The vulnerability is exploitable remotely over the network with low complexity, requiring no privileges, no user interaction, and no special setup (AV:N/AC:L/PR:N/UI:N/S:U). Any unauthenticated attacker can send a specially crafted request to the identity API endpoint, bypassing authentication checks and assuming the identity of legitimate users or admins. Successful exploitation grants full access to the victim's account, potentially allowing theft of stored credentials, organization data, or administrative control over the Vaultwarden instance, such as user management or configuration changes.

Mitigation requires upgrading to Vaultwarden version 1.32.5 or later, as detailed in the project's release notes on GitHub (tags 1.32.4 and 1.32.5). A vulnerability disclosure from Insinuator.net provides additional technical details on the authentication bypass mechanism and recommends immediate patching, with no workarounds mentioned for affected versions.