Security Update 0.23.2: CVE-2025-59344
AliasVault has addressed a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-59344 (7.7 High). This security advisory details the vulnerability, its impact, and the immediate actions required for all AliasVault users.
π¨ Action Required: All users self-hosting AliasVault 0.23.0 or lower are advised to upgrade to version 0.23.2 as soon as possible, which includes both the security fix from 0.23.1 and additional usability improvements. End-users only using client apps are not affected.
π Security Vulnerability Details (CVE-2025-59344)
Impact and Scope
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the favicon extraction feature of AliasVault API versions 0.23.0 and lower. This vulnerability could allow authenticated users to:
- Probe internal networks: Send favicon extraction requests to loopback (127.0.0.0/8) and RFC1918/private networks from the server's perspective
- Extract image content: Retrieve favicons, PNG/JPEG files in Base64 format from internal services if they exist and are accessible
- Perform limited reconnaissance: Map internal services through timing and error responses from favicon extraction attempts
Note: this vulnerability did not affect, expose or compromise AliasVault's encrypted user data or passwords in any way.
Technical Details
The favicon extraction feature fetches user-supplied URLs and parses returned HTML to follow <link rel="icon" href="β¦"> references. While the initial URL validation allows only HTTP/HTTPS with default ports, the extractor:
- Automatically follows redirects without proper validation
- Does not block requests to loopback or internal IP ranges
- Returns responses in Base64 form when valid images are found
An authenticated, low-privileged user can exploit this behavior to coerce the backend into making HTTP(S) requests to arbitrary internal hosts and non-default ports.
Affected Environments
This vulnerability only affects self-hosted AliasVault instances that are reachable from the public internet and have public user registration enabled. Private/internal deployments without public sign-ups are not directly exploitable. Also end-users only using client apps (browser extension or mobile apps) are not affected.
π‘οΈ Security Fix and Timeline
Rapid Response Timeline
The AliasVault maintainers reacted quickly to this responsibly disclosed vulnerability and published a fix within 12 hours:
- 2025-09-16 00:10 UTC β Vulnerability reported to AliasVault maintainers
- 2025-09-16 11:44 UTC β Fix implemented and publicly released in AliasVault 0.23.1
- 2025-09-19 10:30 UTC β Security advisory published (CVE-2025-59344)
The Security Patch (v0.23.1 and v0.23.2)
Version 0.23.1 was released within 12 hours of the responsible disclosure. This update directly addresses the SSRF vulnerability and introduces comprehensive protections, such as:
- Restricting favicon extraction to public IP ranges
- Blocking redirects to loopback or internal addresses
- Improving request validation and the reliability of favicon processing
Additionally, version 0.23.2 is now also available and includes additional improvements to the browser extension, mobile apps, alias generation, and infrastructure. We recommend upgrading directly to 0.23.2 to benefit from both the security patch and the latest enhancements.
π¨ Immediate Actions Required
For Self-Hosted Users
Update immediately by following the official update instructions:
- Update AliasVault installed via install script
- Update AliasVault installed via manual Docker Compose
For Cloud Users
The AliasVault cloud instance has been automatically updated to the latest secure version. No action required.
π οΈ Temporary Workarounds
If you cannot update immediately, reduce exposure by disabling public account registration:
./install.sh configure-registration
Or by manually updating .env and restarting the Docker containers:
PUBLIC_REGISTRATION_ENABLED=false
This prevents unauthorized users from creating accounts that could exploit the vulnerability.
π Stay Up-to-date
Star the GitHub repository on GitHub, subscribe to the AliasVault RSS news feed or join the AliasVault Discord to get notified about new releases.
π References and Resources
We extend our sincere gratitude to Filippo Decortes from Bitcube Security for the responsible disclosure of this vulnerability, the detailed technical analysis that enabled rapid remediation, and the professional coordination throughout the disclosure process.
- Security Advisory: CVE-2025-59344 (GHSA-f253-f7xc-w7pj)
- Update Documentation: Official Update Guide
- Release Notes: GitHub Releases
- Security Contact: security@support.aliasvault.net
At AliasVault, security and transparency are the core of what we do. If you have any questions about this update or our security practices, feel free reach out to security@support.aliasvault.net.
We thank the open source community for their valuable feedback and ongoing support!