mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-03-25 07:41:20 -05:00
Unauthorized access to icons #5938
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/vaultwarden#5938
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @showhwa on GitHub (Jun 25, 2025).
Vaultwarden Support String
Unrelated
Vaultwarden Build Version
Vaultwarden 1.34.1 Web-Vault 2025.5.0
Deployment method
Official Container Image
Custom deployment method
Unrelated
Reverse Proxy
nginx version: nginx/1.22.1 from apt-get
Host/Server Operating System
Linux
Operating System Version
Unrelated
Clients
Web Vault
Client Version
Unrelated
Steps To Reproduce
Expected Result
401: Unauthorized
Actual Result
show icons
Logs
Screenshots or Videos
Additional Context
https://{domain}/icons/google.com/icon.png
https://{domain}/icons/youtube.com/icon.png
https://{domain}/icons/Github.com/icon.png
https://{domain}/icons/github.com/icon.png
https://{domain}/icons/{site-domain}/icon.png
@showhwa commented on GitHub (Jun 25, 2025):
I tried the official version and it is accessible,
https://icons.bitwarden.eu/github.com/icon.png
https://icons.bitwarden.net/github.com/icon.png
But the official version is public and multi-user, and does not have as much privacy as personal disclosure.
So should the self-hosted vault close icons and use the official icons server?
@dani-garcia commented on GitHub (Jun 25, 2025):
That is by design, and we can't really do access control of this endpoint as the clients don't send
Authorizationheaders for this call.The only two alternatives are disabling the icon downloads altogether:
9059437c35/.env.template (L239)Or updating Vaultwarden to use an external service, which will redirect all requests to an external service. The negative that now that service will know which sites are part of your vault:
9059437c35/.env.template (L325)@showhwa commented on GitHub (Jun 25, 2025):
@dani-garcia, thanks for the solution.
At first I thought that the icon server of the self-hosted password vault only provided the websites saved in the password vault. But when I tried to access the website that was not saved in the password vault, it also displayed it. I understood its principle (downloading icons according to the URL).
Instead of letting the icon server know the websites we saved, it is better to continue using the default method or duckduckgo, lol.
Finally, thank you again for letting me understand this knowledge.
@BlackDex commented on GitHub (Jun 25, 2025):
Vaultwarden can't read the stored vault items in the database, and thus also doesn't know which domains are configured.
It only knows the domains when an icon request is made.
There maybe are some ways to put some session checking on the icons by some reverse proxies? Like only allow an IP access to that endpoint when a
/syncrequest was done within a specific amount of time and only allow that IP or so?The problem will be with roaming IP's of course, then suddenly a different IP which might still be valid doesn't have access anymore.
@showhwa commented on GitHub (Jun 25, 2025):
@BlackDex , As you said, after each
/syncor otherauthenticatedrequest, set a whitelist for the current IPs and directly block requests from other IPs.Icons are also requested when scrolling lists, searching, creating, logging in, etc., so it is best not to limit access time.
=========
Can the default Rocket 40X interface be replaced with Nginx's 40X interface?
This may increase the security of the Vaultwarden entrance.
@BlackDex commented on GitHub (Jun 25, 2025):
Not really, and that will only be security by obscurity, and hackers know that anyway.