Merge branch 'main' into trim-aws-features

3 weeks ago · b261469c9e
19 changed files with 607 additions and 401 deletions
--- a/.env.template
+++ b/.env.template
@ -130,7 +130,7 @@
 ## and are always in terms of UTC time (regardless of your local time zone settings).
 ##
 ## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the the format here: https://crontab.guru, but remove the first digit!
+## You can test the format here: https://crontab.guru, but remove the first digit!
 ## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
 ## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
 ## "0   30     *          *            *          *     "
@ -273,7 +273,7 @@
 ## A comma-separated list means only those users can create orgs:
 # ORG_CREATION_USERS=admin1@example.com,admin2@example.com

-## Invitations org admins to invite users, even when signups are disabled
+## Allows org admins to invite users, even when signups are disabled
 # INVITATIONS_ALLOWED=true
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
@ -341,16 +341,16 @@

 ## Icon download timeout
 ## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be to low on slower network connections
+## The default is 10 seconds, but this could be too low on slower network connections
 # ICON_DOWNLOAD_TIMEOUT=10

 ## Block HTTP domains/IPs by Regex
 ## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex withing single quotes!
+## NOTE: Always enclose this regex within single quotes!
 # HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'

-## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
+## Enabling this will cause the internal HTTP client to refuse to connect to any non-global IP address.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true

--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -6,7 +6,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.85.0"
+rust-version = "1.86.0"
 resolver = "2"

 repository = "https://github.com/dani-garcia/vaultwarden"
@ -81,7 +81,7 @@ serde = { version = "1.0.219", features = ["derive"] }
 serde_json = "1.0.140"

 # A safe, extensible ORM and Query builder
-diesel = { version = "2.2.10", features = ["chrono", "r2d2", "numeric"] }
+diesel = { version = "2.2.11", features = ["chrono", "r2d2", "numeric"] }
 diesel_migrations = "2.2.0"
 diesel_logger = { version = "0.4.0", optional = true }

@ -126,7 +126,7 @@ webauthn-rs = "0.3.2"
 url = "2.5.4"

 # Email libraries
-lettre = { version = "0.11.16", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.17", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "hostname", "tracing", "tokio1-rustls", "ring", "rustls-native-certs"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.9"

@ -134,7 +134,7 @@ email_address = "0.2.9"
 handlebars = { version = "6.3.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.12.18", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies"] }
+reqwest = { version = "0.12.20", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
 hickory-resolver = "0.25.2"

 # Favicon extraction libraries
@ -142,6 +142,7 @@ html5gum = "0.7.0"
 regex = { version = "1.11.1", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
 bytes = "1.10.1"
+svg-hush = "0.9.5"

 # Cache function results (Used for version check and favicon fetching)
 cached = { version = "0.55.1", features = ["async"] }
@ -165,9 +166,9 @@ semver = "1.0.26"

 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
-mimalloc = { version = "0.1.46", features = ["secure"], default-features = false, optional = true }
+mimalloc = { version = "0.1.47", features = ["secure"], default-features = false, optional = true }

-which = "7.0.3"
+which = "8.0.0"

 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@ -183,11 +184,11 @@ opendal = { version = "0.53.3", features = ["services-fs"], default-features = f

 # For retrieving AWS credentials, including temporary SSO credentials
 anyhow = { version = "1.0.98", optional = true }
-aws-config = { version = "1.6.3", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
+aws-config = { version = "1.8.0", features = ["behavior-version-latest", "rt-tokio", "credentials-process", "sso"], default-features = false, optional = true }
 aws-credential-types = { version = "1.2.3", optional = true }
-aws-smithy-runtime-api = { version = "1.8.0", optional = true }
+aws-smithy-runtime-api = { version = "1.8.1", optional = true }
 http = { version = "1.3.1", optional = true }
-reqsign = { version = "0.16.3", optional = true }
+reqsign = { version = "0.16.4", optional = true }

 # Strip debuginfo from the release builds
 # The debug symbols are to provide better panic traces
@ -278,7 +279,6 @@ macro_use_imports = "deny"
 manual_assert = "deny"
 manual_instant_elapsed = "deny"
 manual_string_new = "deny"
-match_on_vec_items = "deny"
 match_wildcard_for_single_variants = "deny"
 mem_forget = "deny"
 needless_continue = "deny"
--- a/docker/DockerSettings.yaml
+++ b/docker/DockerSettings.yaml
@ -1,13 +1,13 @@
 ---
-vault_version: "v2025.5.0"
-vault_image_digest: "sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e"
+vault_version: "v2025.6.0"
+vault_image_digest: "sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c"
 # Cross Compile Docker Helper Scripts v1.6.1
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 # https://github.com/tonistiigi/xx | https://hub.docker.com/r/tonistiigi/xx/tags
 xx_image_digest: "sha256:9c207bead753dda9430bdd15425c6518fc7a03d866103c516a2c6889188f5894"
-rust_version: 1.87.0 # Rust version to be used
+rust_version: 1.88.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
-alpine_version: "3.21" # Alpine version to be used
+alpine_version: "3.22" # Alpine version to be used
 # For which platforms/architectures will we try to build images
 platforms: ["linux/amd64", "linux/arm64", "linux/arm/v7", "linux/arm/v6"]
 # Determine the build images per OS/Arch
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@ -19,23 +19,23 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.5.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.5.0
-#     [docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.6.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.6.0
+#     [docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e
-#     [docker.io/vaultwarden/web-vault:v2025.5.0]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c
+#     [docker.io/vaultwarden/web-vault:v2025.6.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c AS vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.87.0 AS build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.87.0 AS build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.87.0 AS build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.87.0 AS build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.88.0 AS build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.88.0 AS build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.88.0 AS build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.88.0 AS build_armv6

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
@ -127,7 +127,7 @@ RUN source /env-cargo && \
 # To uninstall: docker run --privileged --rm tonistiigi/binfmt --uninstall 'qemu-*'
 #
 # We need to add `--platform` here, because of a podman bug: https://github.com/containers/buildah/issues/4742
-FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.21
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3.22

 ENV ROCKET_PROFILE="release" \
    ROCKET_ADDRESS=0.0.0.0 \
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@ -19,15 +19,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2025.5.0
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.5.0
-#     [docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2025.6.0
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2025.6.0
+#     [docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e
-#     [docker.io/vaultwarden/web-vault:v2025.5.0]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c
+#     [docker.io/vaultwarden/web-vault:v2025.6.0]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:a0a377b810e66a4ebf1416f732d2be06f3262bf5a5238695af88d3ec6871cc0e AS vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:494be10bd99d9d05c7bec13dad71ad99102ea920de9a5d3587529709a64fb42c AS vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
@ -36,7 +36,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:9c207bead753dda9430bd

 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.87.0-slim-bookworm AS build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.88.0-slim-bookworm AS build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT
--- a/macros/Cargo.toml
+++ b/macros/Cargo.toml
@ -10,7 +10,7 @@ proc-macro = true

 [dependencies]
 quote = "1.0.40"
-syn = "2.0.101"
+syn = "2.0.104"

 [lints]
 workspace = true
--- a/rust-toolchain.toml
+++ b/rust-toolchain.toml
@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.87.0"
+channel = "1.88.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -8,8 +8,8 @@ use serde_json::Value;
 use crate::{
    api::{
        core::{log_user_event, two_factor::email},
-        register_push_device, unregister_push_device, AnonymousNotify, EmptyResult, JsonResult, Notify,
-        PasswordOrOtpData, UpdateType,
+        master_password_policy, register_push_device, unregister_push_device, AnonymousNotify, EmptyResult, JsonResult,
+        Notify, PasswordOrOtpData, UpdateType,
    },
    auth::{decode_delete, decode_invite, decode_verify_email, ClientHeaders, Headers},
    crypto,
@ -1068,7 +1068,7 @@ struct SecretVerificationRequest {
 }

 #[post("/accounts/verify-password", data = "<data>")]
-fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers) -> EmptyResult {
+async fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers, conn: DbConn) -> JsonResult {
    let data: SecretVerificationRequest = data.into_inner();
    let user = headers.user;

@ -1076,7 +1076,7 @@ fn verify_password(data: Json<SecretVerificationRequest>, headers: Headers) -> E
        err!("Invalid password")
    }

-    Ok(())
+    Ok(Json(master_password_policy(&user, &conn).await))
 }

 async fn _api_key(data: Json<PasswordOrOtpData>, rotate: bool, headers: Headers, mut conn: DbConn) -> JsonResult {
--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -200,15 +200,17 @@ fn get_api_webauthn(_headers: Headers) -> Json<Value> {
 fn config() -> Json<Value> {
    let domain = crate::CONFIG.domain();
    // Official available feature flags can be found here:
-    // Server (v2025.5.0): https://github.com/bitwarden/server/blob/4a7db112a0952c6df8bacf36c317e9c4e58c3651/src/Core/Constants.cs#L102
-    // Client (v2025.5.0): https://github.com/bitwarden/clients/blob/9df8a3cc50ed45f52513e62c23fcc8a4b745f078/libs/common/src/enums/feature-flag.enum.ts#L10
-    // Android (v2025.4.0): https://github.com/bitwarden/android/blob/bee09de972c3870de0d54a0067996be473ec55c7/app/src/main/java/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L27
-    // iOS (v2025.4.0): https://github.com/bitwarden/ios/blob/956e05db67344c912e3a1b8cb2609165d67da1c9/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
+    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
+    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
+    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
    let mut feature_states =
        parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
    feature_states.insert("duo-redirect".to_string(), true);
    feature_states.insert("email-verification".to_string(), true);
    feature_states.insert("unauth-ui-refresh".to_string(), true);
+    feature_states.insert("enable-pm-flight-recorder".to_string(), true);
+    feature_states.insert("mobile-error-reporting".to_string(), true);

    Json(json!({
        // Note: The clients use this version to handle backwards compatibility concerns
@ -216,7 +218,7 @@ fn config() -> Json<Value> {
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
        // - Individual cipher key encryption: 2024.2.0
-        "version": "2025.4.0",
+        "version": "2025.6.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -3334,13 +3334,17 @@ async fn put_reset_password_enrollment(

    let reset_request = data.into_inner();

-    if reset_request.reset_password_key.is_none()
-        && OrgPolicy::org_is_reset_password_auto_enroll(&org_id, &mut conn).await
-    {
+    let reset_password_key = match reset_request.reset_password_key {
+        None => None,
+        Some(ref key) if key.is_empty() => None,
+        Some(key) => Some(key),
+    };
+
+    if reset_password_key.is_none() && OrgPolicy::org_is_reset_password_auto_enroll(&org_id, &mut conn).await {
        err!("Reset password can't be withdrawn due to an enterprise policy");
    }

-    if reset_request.reset_password_key.is_some() {
+    if reset_password_key.is_some() {
        PasswordOrOtpData {
            master_password_hash: reset_request.master_password_hash,
            otp: reset_request.otp,
@ -3349,7 +3353,7 @@ async fn put_reset_password_enrollment(
        .await?;
    }

-    member.reset_password_key = reset_request.reset_password_key;
+    member.reset_password_key = reset_password_key;
    member.save(&mut conn).await?;

    let log_id = if member.reset_password_key.is_some() {
--- a/src/api/core/two_factor/yubikey.rs
+++ b/src/api/core/two_factor/yubikey.rs
@ -145,15 +145,14 @@ async fn activate_yubikey(data: Json<EnableYubikeyData>, headers: Headers, mut c

    // Ensure they are valid OTPs
    for yubikey in &yubikeys {
-        if yubikey.len() == 12 {
-            // YubiKey ID
+        if yubikey.is_empty() || yubikey.len() == 12 {
            continue;
        }

        verify_yubikey_otp(yubikey.to_owned()).await.map_res("Invalid Yubikey OTP provided")?;
    }

-    let yubikey_ids: Vec<String> = yubikeys.into_iter().map(|x| (x[..12]).to_owned()).collect();
+    let yubikey_ids: Vec<String> = yubikeys.into_iter().filter_map(|x| x.get(..12).map(str::to_owned)).collect();

    let yubikey_metadata = YubikeyMetadata {
        keys: yubikey_ids,
--- a/src/api/icons.rs
+++ b/src/api/icons.rs
@ -14,6 +14,7 @@ use reqwest::{
    Client, Response,
 };
 use rocket::{http::ContentType, response::Redirect, Route};
+use svg_hush::{data_url_filter, Filter};

 use html5gum::{Emitter, HtmlString, Readable, StringReader, Tokenizer};

@ -35,11 +36,29 @@ pub fn routes() -> Vec<Route> {
 static CLIENT: Lazy<Client> = Lazy::new(|| {
    // Generate the default headers
    let mut default_headers = HeaderMap::new();
-    default_headers.insert(header::USER_AGENT, HeaderValue::from_static("Links (2.22; Linux X86_64; GNU C; text)"));
-    default_headers.insert(header::ACCEPT, HeaderValue::from_static("text/html, text/*;q=0.5, image/*, */*;q=0.1"));
-    default_headers.insert(header::ACCEPT_LANGUAGE, HeaderValue::from_static("en,*;q=0.1"));
+    default_headers.insert(
+        header::USER_AGENT,
+        HeaderValue::from_static(
+            "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36",
+        ),
+    );
+    default_headers.insert(header::ACCEPT, HeaderValue::from_static("text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"));
+    default_headers.insert(header::ACCEPT_LANGUAGE, HeaderValue::from_static("en-US,en;q=0.9"));
    default_headers.insert(header::CACHE_CONTROL, HeaderValue::from_static("no-cache"));
    default_headers.insert(header::PRAGMA, HeaderValue::from_static("no-cache"));
+    default_headers.insert(header::UPGRADE_INSECURE_REQUESTS, HeaderValue::from_static("1"));
+
+    default_headers.insert("Sec-Ch-Ua-Mobile", HeaderValue::from_static("?0"));
+    default_headers.insert("Sec-Ch-Ua-Platform", HeaderValue::from_static("Linux"));
+    default_headers.insert(
+        "Sec-Ch-Ua",
+        HeaderValue::from_static("\"Not)A;Brand\";v=\"8\", \"Chromium\";v=\"138\", \"Google Chrome\";v=\"138\""),
+    );
+
+    default_headers.insert("Sec-Fetch-Site", HeaderValue::from_static("none"));
+    default_headers.insert("Sec-Fetch-Mode", HeaderValue::from_static("navigate"));
+    default_headers.insert("Sec-Fetch-User", HeaderValue::from_static("?1"));
+    default_headers.insert("Sec-Fetch-Dest", HeaderValue::from_static("document"));

    // Generate the cookie store
    let cookie_store = Arc::new(Jar::default());
@ -53,6 +72,7 @@ static CLIENT: Lazy<Client> = Lazy::new(|| {
        .pool_max_idle_per_host(5) // Configure the Hyper Pool to only have max 5 idle connections
        .pool_idle_timeout(pool_idle_timeout) // Configure the Hyper Pool to timeout after 10 seconds
        .default_headers(default_headers.clone())
+        .http1_title_case_headers()
        .build()
        .expect("Failed to build client")
 });
@ -561,6 +581,16 @@ async fn download_icon(domain: &str) -> Result<(Bytes, Option<&str>), Error> {

    if buffer.is_empty() {
        err_silent!("Empty response or unable find a valid icon", domain);
+    } else if icon_type == Some("svg+xml") {
+        let mut svg_filter = Filter::new();
+        svg_filter.set_data_url_filter(data_url_filter::allow_standard_images);
+        let mut sanitized_svg = Vec::new();
+        if svg_filter.filter(&*buffer, &mut sanitized_svg).is_err() {
+            icon_type = None;
+            buffer.clear();
+        } else {
+            buffer = sanitized_svg.into();
+        }
    }

    Ok((buffer, icon_type))
@ -581,6 +611,16 @@ async fn save_icon(path: &str, icon: Vec<u8>) {
 }

 fn get_icon_type(bytes: &[u8]) -> Option<&'static str> {
+    fn check_svg_after_xml_declaration(bytes: &[u8]) -> Option<&'static str> {
+        // Look for SVG tag within the first 1KB
+        if let Ok(content) = std::str::from_utf8(&bytes[..bytes.len().min(1024)]) {
+            if content.contains("<svg") || content.contains("<SVG") {
+                return Some("svg+xml");
+            }
+        }
+        None
+    }
+
    match bytes {
        [137, 80, 78, 71, ..] => Some("png"),
        [0, 0, 1, 0, ..] => Some("x-icon"),
@ -588,6 +628,8 @@ fn get_icon_type(bytes: &[u8]) -> Option<&'static str> {
        [255, 216, 255, ..] => Some("jpeg"),
        [71, 73, 70, 56, ..] => Some("gif"),
        [66, 77, ..] => Some("bmp"),
+        [60, 115, 118, 103, ..] => Some("svg+xml"), // Normal svg
+        [60, 63, 120, 109, 108, ..] => check_svg_after_xml_declaration(bytes), // An svg starting with <?xml
        _ => None,
    }
 }
@ -599,6 +641,12 @@ async fn stream_to_bytes_limit(res: Response, max_size: usize) -> Result<Bytes,
    let mut buf = BytesMut::new();
    let mut size = 0;
    while let Some(chunk) = stream.next().await {
+        // It is possible that there might occure UnexpectedEof errors or others
+        // This is most of the time no issue, and if there is no chunked data anymore or at all parsing the HTML will not happen anyway.
+        // Therfore if chunk is an err, just break and continue with the data be have received.
+        if chunk.is_err() {
+            break;
+        }
        let chunk = &chunk?;
        size += chunk.len();
        buf.extend(chunk);
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -14,6 +14,7 @@ use crate::{
            log_user_event,
            two_factor::{authenticator, duo, duo_oidc, email, enforce_2fa_policy, webauthn, yubikey},
        },
+        master_password_policy,
        push::register_push_device,
        ApiResult, EmptyResult, JsonResult,
    },
@ -132,18 +133,6 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
    Ok(Json(result))
 }

-#[derive(Default, Deserialize, Serialize)]
-#[serde(rename_all = "camelCase")]
-struct MasterPasswordPolicy {
-    min_complexity: u8,
-    min_length: u32,
-    require_lower: bool,
-    require_upper: bool,
-    require_numbers: bool,
-    require_special: bool,
-    enforce_on_login: bool,
-}
-
 async fn _password_login(
    data: ConnectData,
    user_id: &mut Option<UserId>,
@ -300,36 +289,7 @@ async fn _password_login(
    let (access_token, expires_in) = device.refresh_tokens(&user, scope_vec, data.client_id);
    device.save(conn).await?;

-    // Fetch all valid Master Password Policies and merge them into one with all trues and largest numbers as one policy
-    let master_password_policies: Vec<MasterPasswordPolicy> =
-        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
-            &user.uuid,
-            OrgPolicyType::MasterPassword,
-            conn,
-        )
-        .await
-        .into_iter()
-        .filter_map(|p| serde_json::from_str(&p.data).ok())
-        .collect();
-
-    // NOTE: Upstream still uses PascalCase here for `Object`!
-    let master_password_policy = if !master_password_policies.is_empty() {
-        let mut mpp_json = json!(master_password_policies.into_iter().reduce(|acc, policy| {
-            MasterPasswordPolicy {
-                min_complexity: acc.min_complexity.max(policy.min_complexity),
-                min_length: acc.min_length.max(policy.min_length),
-                require_lower: acc.require_lower || policy.require_lower,
-                require_upper: acc.require_upper || policy.require_upper,
-                require_numbers: acc.require_numbers || policy.require_numbers,
-                require_special: acc.require_special || policy.require_special,
-                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
-            }
-        }));
-        mpp_json["Object"] = json!("masterPasswordPolicy");
-        mpp_json
-    } else {
-        json!({"Object": "masterPasswordPolicy"})
-    };
+    let master_password_policy = master_password_policy(&user, conn).await;

    let mut result = json!({
        "access_token": access_token,
@ -758,7 +718,10 @@ async fn register_verification_email(
 ) -> ApiResult<RegisterVerificationResponse> {
    let data = data.into_inner();

-    if !CONFIG.is_signup_allowed(&data.email) {
+    // the registration can only continue if signup is allowed or there exists an invitation
+    if !(CONFIG.is_signup_allowed(&data.email)
+        || (!CONFIG.mail_enabled() && Invitation::find_by_mail(&data.email, &mut conn).await.is_some()))
+    {
        err!("Registration not allowed or user already exists")
    }

--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -32,7 +32,10 @@ pub use crate::api::{
    web::routes as web_routes,
    web::static_files,
 };
-use crate::db::{models::User, DbConn};
+use crate::db::{
+    models::{OrgPolicy, OrgPolicyType, User},
+    DbConn,
+};

 // Type aliases for API methods results
 type ApiResult<T> = Result<T, crate::error::Error>;
@ -68,3 +71,49 @@ impl PasswordOrOtpData {
        Ok(())
    }
 }
+
+#[derive(Debug, Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct MasterPasswordPolicy {
+    min_complexity: Option<u8>,
+    min_length: Option<u32>,
+    require_lower: bool,
+    require_upper: bool,
+    require_numbers: bool,
+    require_special: bool,
+    enforce_on_login: bool,
+}
+
+// Fetch all valid Master Password Policies and merge them into one with all trues and largest numbers as one policy
+async fn master_password_policy(user: &User, conn: &DbConn) -> Value {
+    let master_password_policies: Vec<MasterPasswordPolicy> =
+        OrgPolicy::find_accepted_and_confirmed_by_user_and_active_policy(
+            &user.uuid,
+            OrgPolicyType::MasterPassword,
+            conn,
+        )
+        .await
+        .into_iter()
+        .filter_map(|p| serde_json::from_str(&p.data).ok())
+        .collect();
+
+    let mut mpp_json = if !master_password_policies.is_empty() {
+        json!(master_password_policies.into_iter().reduce(|acc, policy| {
+            MasterPasswordPolicy {
+                min_complexity: acc.min_complexity.max(policy.min_complexity),
+                min_length: acc.min_length.max(policy.min_length),
+                require_lower: acc.require_lower || policy.require_lower,
+                require_upper: acc.require_upper || policy.require_upper,
+                require_numbers: acc.require_numbers || policy.require_numbers,
+                require_special: acc.require_special || policy.require_special,
+                enforce_on_login: acc.enforce_on_login || policy.enforce_on_login,
+            }
+        }))
+    } else {
+        json!({})
+    };
+
+    // NOTE: Upstream still uses PascalCase here for `Object`!
+    mpp_json["Object"] = json!("masterPasswordPolicy");
+    mpp_json
+}
--- a/src/config.rs
+++ b/src/config.rs
@ -856,10 +856,10 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
        }
    }

-    // Server (v2025.5.0): https://github.com/bitwarden/server/blob/4a7db112a0952c6df8bacf36c317e9c4e58c3651/src/Core/Constants.cs#L102
-    // Client (v2025.5.0): https://github.com/bitwarden/clients/blob/9df8a3cc50ed45f52513e62c23fcc8a4b745f078/libs/common/src/enums/feature-flag.enum.ts#L10
-    // Android (v2025.4.0): https://github.com/bitwarden/android/blob/bee09de972c3870de0d54a0067996be473ec55c7/app/src/main/java/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L27
-    // iOS (v2025.4.0): https://github.com/bitwarden/ios/blob/956e05db67344c912e3a1b8cb2609165d67da1c9/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
+    // Server (v2025.6.2): https://github.com/bitwarden/server/blob/d094be3267f2030bd0dc62106bc6871cf82682f5/src/Core/Constants.cs#L103
+    // Client (web-v2025.6.1): https://github.com/bitwarden/clients/blob/747c2fd6a1c348a57a76e4a7de8128466ffd3c01/libs/common/src/enums/feature-flag.enum.ts#L12
+    // Android (v2025.6.0): https://github.com/bitwarden/android/blob/b5b022caaad33390c31b3021b2c1205925b0e1a2/app/src/main/kotlin/com/x8bit/bitwarden/data/platform/manager/model/FlagKey.kt#L22
+    // iOS (v2025.6.0): https://github.com/bitwarden/ios/blob/ff06d9c6cc8da89f78f37f376495800201d7261a/BitwardenShared/Core/Platform/Models/Enum/FeatureFlag.swift#L7
    //
    // NOTE: Move deprecated flags to the utils::parse_experimental_client_feature_flags() DEPRECATED_FLAGS const!
    const KNOWN_FLAGS: &[&str] = &[
--- a/src/db/models/org_policy.rs
+++ b/src/db/models/org_policy.rs
@ -211,7 +211,7 @@ impl OrgPolicy {
    pub async fn find_accepted_and_confirmed_by_user_and_active_policy(
        user_uuid: &UserId,
        policy_type: OrgPolicyType,
-        conn: &mut DbConn,
+        conn: &DbConn,
    ) -> Vec<Self> {
        db_run! { conn: {
            org_policies::table
--- a/src/static/templates/scss/vaultwarden.scss.hbs
+++ b/src/static/templates/scss/vaultwarden.scss.hbs
@ -21,17 +21,37 @@ a[href$="/settings/sponsored-families"] {
 }

 /* Hide the `Enterprise Single Sign-On` button on the login page */
-app-root form.ng-untouched button.\!tw-text-primary-600:nth-child(4) {
+{{#if (webver ">=2025.5.1")}}
+.vw-sso-login {
  @extend %vw-hide;
 }
+{{else}}
+app-root ng-component > form > div:nth-child(1) > div > button[buttontype="secondary"].\!tw-text-primary-600:nth-child(4) {
+  @extend %vw-hide;
+}
+{{/if}}
+
 /* Hide Log in with passkey on the login page */
-app-root form.ng-untouched > div > div > button.\!tw-text-primary-600:nth-child(3) {
+{{#if (webver ">=2025.5.1")}}
+.vw-passkey-login {
+  @extend %vw-hide;
+}
+{{else}}
+app-root ng-component > form > div:nth-child(1) > div > button[buttontype="secondary"].\!tw-text-primary-600:nth-child(3) {
  @extend %vw-hide;
 }
+{{/if}}
+
 /* Hide the or text followed by the two buttons hidden above */
-app-root form.ng-untouched > div:nth-child(1) > div:nth-child(3) > div:nth-child(2) {
+{{#if (webver ">=2025.5.1")}}
+.vw-or-text {
  @extend %vw-hide;
 }
+{{else}}
+app-root ng-component > form > div:nth-child(1) > div:nth-child(3) > div:nth-child(2) {
+  @extend %vw-hide;
+}
+{{/if}}

 /* Hide Two-Factor menu in Organization settings */
 bit-nav-item[route="settings/two-factor"],
--- a/src/util.rs
+++ b/src/util.rs
@ -61,9 +61,11 @@ impl Fairing for AppHeaders {

        // The `Cross-Origin-Resource-Policy` header should not be set on images or on the `icon_external` route.
        // Otherwise some clients, like the Bitwarden Desktop, will fail to download the icons
+        let mut is_image = true;
        if !(res.headers().get_one("Content-Type").is_some_and(|v| v.starts_with("image/"))
            || req.route().is_some_and(|v| v.name.as_deref() == Some("icon_external")))
        {
+            is_image = false;
            res.set_raw_header("Cross-Origin-Resource-Policy", "same-origin");
        }

@ -71,6 +73,11 @@ impl Fairing for AppHeaders {
        // This can cause issues when some MFA requests needs to open a popup or page within the clients like WebAuthn, or Duo.
        // This is the same behavior as upstream Bitwarden.
        if !req_uri_path.ends_with("connector.html") {
+            let csp = if is_image {
+                // Prevent scripts, frames, objects, etc., from loading with images, mainly for SVG images, since these could contain JavaScript and other unsafe items.
+                // Even though we sanitize SVG images before storing and viewing them, it's better to prevent allowing these elements.
+                String::from("default-src 'none'; img-src 'self' data:; style-src 'unsafe-inline'; script-src 'none'; frame-src 'none'; object-src 'none")
+            } else {
                // # Frame Ancestors:
                // Chrome Web Store: https://chrome.google.com/webstore/detail/bitwarden-free-password-m/nngceckbapebfimnlniiiahkandclblb
                // Edge Add-ons: https://microsoftedge.microsoft.com/addons/detail/bitwarden-free-password/jbkfoedolllekgbhcbcoahefnbanhhlh?hl=en-US
@ -81,8 +88,8 @@ impl Fairing for AppHeaders {
                // Leaked Passwords check: api.pwnedpasswords.com
                // 2FA/MFA Site check: api.2fa.directory
                // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
-            // app.simplelogin.io, app.addy.io, api.fastmail.com, quack.duckduckgo.com
-            let csp = format!(
+                // app.simplelogin.io, app.addy.io, api.fastmail.com, api.forwardemail.net
+                format!(
                    "default-src 'none'; \
                    font-src 'self'; \
                    manifest-src 'self'; \
@ -113,7 +120,9 @@ impl Fairing for AppHeaders {
                    icon_service_csp = CONFIG._icon_service_csp(),
                    allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors(),
                    allowed_connect_src = CONFIG.allowed_connect_src(),
-            );
+                )
+            };
+
            res.set_raw_header("Content-Security-Policy", csp);
            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
        } else {