Plattform
other
Komponente
aliasvault
Behoben in
0.23.2
A server-side request forgery (SSRF) vulnerability has been identified in AliasVault, a privacy-focused password manager. This flaw resides within the favicon extraction feature of the AliasVault API, allowing an authenticated, low-privileged user to potentially access internal resources. The vulnerability affects versions 0.23.0 and earlier, and a fix is available in version 0.23.1.
The SSRF vulnerability in AliasVault allows an attacker to manipulate the application into making requests to arbitrary internal or external URLs. While the initial URL is validated to allow only HTTP/HTTPS with default ports, the application automatically follows redirects and fails to block requests to loopback or internal IP ranges. This means an attacker could potentially access sensitive internal services, retrieve data from internal databases, or even interact with other systems within the network. The impact is amplified by the fact that the attacker only needs to be an authenticated, low-privileged user to trigger the vulnerability, significantly broadening the potential attack surface.
This vulnerability was publicly disclosed on 2025-09-19. There is currently no indication of active exploitation campaigns targeting AliasVault. The vulnerability's relatively low complexity and the need for authentication suggest a moderate risk of exploitation, though no public proof-of-concept (PoC) has been released as of this writing. It is not currently listed on the CISA KEV catalog.
Organizations utilizing AliasVault's API for favicon extraction, particularly those with internal services accessible from the AliasVault server, are at risk. Shared hosting environments where AliasVault instances share network resources are also particularly vulnerable.
• linux / server: Monitor AliasVault API logs for outbound requests to internal IP addresses (127.0.0.1, 192.168.x.x, 10.x.x.x). Use journalctl -u aliasvault to filter for relevant log entries.
journalctl -u aliasvault | grep -i 'internal ip' • generic web: Use curl to test the favicon extraction endpoint with a URL pointing to an internal resource. Observe the response code and any error messages.
curl -v 'https://<aliasvault_url>/api/favicon?url=http://127.0.0.1' disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59344 is to immediately upgrade AliasVault to version 0.23.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests to internal IP ranges and prevent URL redirects. Additionally, restrict network access to the AliasVault server to only necessary ports and services. Monitor AliasVault API logs for suspicious outbound requests to unusual or internal destinations. After upgrading, confirm the fix by attempting to trigger the favicon extraction feature with a URL pointing to an internal resource; the request should be blocked.
Aktualisieren Sie AliasVault auf Version 0.23.1 oder höher. Diese Version enthält eine Korrektur für die SSRF-Schwachstelle bei der Favicon-Extraktion. Das Update mildert das Risiko, dass böswillige Benutzer Anfragen an interne Hosts senden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59344 is a server-side request forgery (SSRF) vulnerability in AliasVault versions 0.23.0 and below, allowing attackers to make requests to internal resources.
You are affected if you are using AliasVault version 0.23.0 or earlier and utilize the API's favicon extraction feature.
Upgrade AliasVault to version 0.23.1 or later. Implement WAF rules to block requests to internal IP ranges as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the AliasVault security advisory on their official website for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.