Platform
other
Component
aliasvault
Fixed in
0.23.2
A server-side request forgery (SSRF) vulnerability has been identified in AliasVault, a privacy-focused password manager. This flaw resides within the favicon extraction feature of the AliasVault API, allowing an authenticated, low-privileged user to potentially access internal resources. The vulnerability affects versions 0.23.0 and earlier, and a fix is available in version 0.23.1.
The SSRF vulnerability in AliasVault allows an attacker to manipulate the application into making requests to arbitrary internal or external URLs. While the initial URL is validated to allow only HTTP/HTTPS with default ports, the application automatically follows redirects and fails to block requests to loopback or internal IP ranges. This means an attacker could potentially access sensitive internal services, retrieve data from internal databases, or even interact with other systems within the network. The impact is amplified by the fact that the attacker only needs to be an authenticated, low-privileged user to trigger the vulnerability, significantly broadening the potential attack surface.
This vulnerability was publicly disclosed on 2025-09-19. There is currently no indication of active exploitation campaigns targeting AliasVault. The vulnerability's relatively low complexity and the need for authentication suggest a moderate risk of exploitation, though no public proof-of-concept (PoC) has been released as of this writing. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59344 is to immediately upgrade AliasVault to version 0.23.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests to internal IP ranges and prevent URL redirects. Additionally, restrict network access to the AliasVault server to only necessary ports and services. Monitor AliasVault API logs for suspicious outbound requests to unusual or internal destinations. After upgrading, confirm the fix by attempting to trigger the favicon extraction feature with a URL pointing to an internal resource; the request should be blocked.
Update AliasVault to version 0.23.1 or higher. This version contains a fix for the SSRF vulnerability in favicon extraction. The update will mitigate the risk of malicious users making requests to internal hosts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59344 is a server-side request forgery (SSRF) vulnerability in AliasVault versions 0.23.0 and below, allowing attackers to make requests to internal resources.
You are affected if you are using AliasVault version 0.23.0 or earlier and utilize the API's favicon extraction feature.
Upgrade AliasVault to version 0.23.1 or later. Implement WAF rules to block requests to internal IP ranges as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the AliasVault security advisory on their official website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.