topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2946 Commits
3 Branches
77 Tags
20 MiB
 
 
 
 
 
 
Tree: e3d1e4aa04
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e3d1e4aa04'
${ noResults }
vaultwarden/SECURITY-AUDIT-2025-11-09.md

3.6 KiB
Raw Blame History

Local Dependency Audit — 2025-11-09

Summary

This repository was audited locally using the Docker-based audit tooling in docker/audit. The audit ran cargo-audit and cargo-deny and produced the following notable findings:

  • RUSTSEC-2023-0071 (rsa 0.9.8) — a timing side-channel vulnerability ("Marvin Attack") affecting the rsa crate. No safe upgrade was available at the time of the audit; the crate is transitive (via openidconnect).
  • RUSTSEC-2024-0436 (paste 1.0.15) — crate marked as unmaintained (transitive via rmp/rmpv).
  • License checks reported numerous rejections (many transitive crates), see docker/audit/output/cargo-deny-licenses.err for full diagnostics.

Artifacts

The raw audit captures are available in docker/audit/output/ in this working copy (they were copied from the audit container):

  • cargo-version.txt — cargo version captured from the audit container
  • cargo-audit.err — cargo-audit stderr (contains CLI errors/diagnostics or JSON when supported)
  • cargo-deny-advisories.err — cargo-deny advisories diagnostics (JSON preferred)
  • cargo-deny-licenses.err — cargo-deny license diagnostics (large)

Recommended next steps

  1. Triage RUSTSEC-2023-0071 (rsa)

    • Use cargo tree -i rsa to confirm the top-level crate(s) that bring in rsa (expected: openidconnect).
    • Try upgrading openidconnect to a newer version that does not bring rsa, or replace the OIDC/JWT dependency with an alternative that uses a constant-time crypto implementation (e.g., ring/openssl-backed option).
    • If the dependency cannot be removed immediately, document the exception and create a tracking issue to replace the transitive dependency.

  2. Triage paste unmaintained advisory

    • Identify the top-level dependency chain and attempt to upgrade or replace the dependency (rmp/rmpv) or migrate to a maintained fork.

  3. License policy

    • Review deny.toml added to the repository as a starting policy. Adjust licenses.allowed to match project licensing policy.
    • For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates.

Temporary exceptions

To unblock CI while we triage and remediate, this PR (branch remediations/audit-2025-11-09) adds temporary, timeboxed exceptions for two advisories in deny.toml:

  • RUSTSEC-2023-0071 — rsa = 0.9.8 (transitive via openidconnect). No safe published upgrade was available at audit time. A temporary exception is recorded with an expiration date and linked tracking issue.
  • RUSTSEC-2024-0436 — paste = 1.0.15 (transitive via rmp/rmpv). Crate is marked unmaintained; a temporary exception is recorded while we plan a migration/replacement.

These exceptions are intended to be short-lived. See issues/TRACK-2025-11-09-RSA-PASTE.md for the remediation plan, owner, and ETA. The exceptions include an expires date and rationale; they should be removed when the underlying transitive dependency is replaced or a safe upgrade is published.

  1. CI integration

    • The PR adds a GitHub Actions workflow .github/workflows/audit.yml which runs cargo-audit and cargo-deny. Tweak versions and failure behavior to match your release policy (block PRs or open warnings).

  2. Follow-up work

    • If replacements require code changes (e.g., replacing OIDC crate), create small follow-up PRs with unit tests and integration tests for auth flows.

Contact / Tracking

Open a follow-up issue for each remediation item (e.g., "Replace transitive rsa usage" and "Replace unmaintained paste dependency"). Link those issues from this note and the PR.