CVE-2025-59344
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-09-22

Assigner: GitHub, Inc.

Description
AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulnerability exists in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The extractor fetches a user-supplied URL, parses the returned HTML, and follows <link rel="icon" href="…">. Although the initial URL is validated to allow only HTTP/HTTPS with default ports, the extractor automatically follows redirects and does not block requests to loopback or internal IP ranges. An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports. If the target host serves a favicon or any other valid image, the response is returned to the attacker in Base64 form. Even when no data is returned, timing and error behavior can be abused to map internal services. This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet with public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. This issue has been fixed in AliasVault release 0.23.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-09-22
Generated
2026-05-07
AI Q&A
2025-09-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59344
EUVD
EUVD-2025-30331
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
aliasvault aliasvault 0.23.1
aliasvault aliasvault 0.23.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a server-side request forgery (SSRF) in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. The feature fetches a user-supplied URL to extract the favicon by following redirects without blocking requests to internal or loopback IP addresses. An authenticated, low-privileged user can exploit this to make the backend send HTTP(S) requests to arbitrary internal hosts and non-default ports. The attacker can receive favicon or image data in Base64 or use timing and error responses to map internal services. It only affects self-hosted AliasVault instances with public internet access and public user registration enabled.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with low privileges to make the backend server send requests to internal network hosts that are normally inaccessible from the outside. This can lead to information disclosure by retrieving internal favicons or images, or by mapping internal services through timing and error analysis. It can potentially expose sensitive internal infrastructure details to unauthorized users.


What immediate steps should I take to mitigate this vulnerability?

Upgrade AliasVault to version 0.23.1 or later, as this version contains the fix for the SSRF vulnerability in the favicon extraction feature. Additionally, if possible, disable public user registration or restrict access to the AliasVault instance from the public internet to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart