starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-12-10 01:10:09 +03:00
Code Issues 429 Packages Projects Releases 10 Wiki Activity

security against memory attacks? #2181

New Issue
Closed
opened 2025-10-09 17:49:27 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2025-10-09 17:49:27 +03:00
Owner
Copy Link

Originally created by @pdarcos on GitHub.

Hi everyone,

Great project.

Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/

I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info?

Cheers

Originally created by @pdarcos on GitHub. Hi everyone, Great project. Has anyone read the latest report regarding password managers all being vulnerable to reading password in memory? https://www.forbes.com/sites/kateoflahertyuk/2019/02/20/password-managers-have-a-security-flaw-heres-how-to-avoid-it/ I wonder how bitwarden/bitwarden_rs would fare in this audit. Anyone have any more info? Cheers
OVERLORD commented 2025-10-09 17:49:30 +03:00
Author
Owner
Copy Link

@pdarcos commented on GitHub:

@dani-garcia That's what I was thinking too.

Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876

Cheers

@pdarcos commented on GitHub: @dani-garcia That's what I was thinking too. Thanks for confirming. I've opened up a ticket in the BW repo about this since it is an upstream client side vulnerability. https://github.com/bitwarden/browser/issues/876 Cheers
OVERLORD commented 2025-10-09 17:49:31 +03:00
Author
Owner
Copy Link

@dani-garcia commented on GitHub:

To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.

@dani-garcia commented on GitHub: To add some extra info, all the clients have an option to auto-lock the vault that should remove the master pass from RAM. Other than that and using 2FA, there is no other solution, really. If an attackere has control of your devices you've already lost.
OVERLORD commented 2025-10-09 17:49:32 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.

@mprasil commented on GitHub: I'm going to close this, but feel free to reopen if you think this question is still relevant for some reason.
OVERLORD commented 2025-10-09 17:49:33 +03:00
Author
Owner
Copy Link

@mprasil commented on GitHub:

I think this question needs to be asked upstream. We use upstream code for the client side.

Server itself (which is what bitwarden_rs does) only handles already encrypted data, so there isn't much to leak.

@mprasil commented on GitHub: I think this question needs to be asked upstream. We use upstream code for the client side. Server itself (which is what `bitwarden_rs` does) only handles already encrypted data, so there isn't much to leak.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
better for forum
bug
bug
bug
documentation
duplicate
enhancement
future Vault
good first issue
help wanted
low priority
notes
pull-request
Mirrored from GitHub Pull Request
 question
SSO
Third party
troubleshooting
troubleshooting
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/vaultwarden#2181
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?