A newly disclosed vulnerability in Bitwarden, a widely used open-source password manager, exposes users to potential cross-site scripting (XSS) attacks through malicious PDF files. The flaw, tracked as CVE-2025-5138, affects all versions up to 2.25.1 and remains unpatched.
The vulnerability lies in the PDF File Handler component, which fails to properly restrict file types uploaded through the “Resources” feature. This allows attackers to inject JavaScript code into PDF files, which executes when users open the file inside the Bitwarden interface.
Technical Details
The issue stems from improper input validation, leading to a classic cross-site scripting (XSS) vulnerability classified under CWE-79. The flaw has been assigned a CVSS v3.1 score of 3.5, indicating medium severity.
Researchers say the vulnerability requires three key conditions for exploitation:
- The attacker must have a low-privilege, authenticated account on Bitwarden.
- User interaction is required to open the malicious PDF.
- The attack relies on the browser’s built-in PDF rendering capabilities.
Once triggered, the embedded JavaScript can perform unauthorized actions within the Bitwarden application, such as hijacking sessions or accessing stored credentials.
Proof-of-Concept Demonstration
A security researcher known as YZS17 has published a detailed proof-of-concept (PoC) on GitHub. The demonstration shows how attackers can create a project in Bitwarden, upload a malicious PDF, and trigger code execution when a user views the file.
The attack takes advantage of how browsers render PDFs. Malicious code hidden inside hyperlinks or form fields can bypass Bitwarden’s internal security checks, turning the PDF itself into an XSS payload.
This method echoes similar issues found in open-source PDF libraries like PDF-Lib and jsPDF, raising wider concerns about how web platforms handle PDF content.
Vendor Response and Risk
Despite early notification, Bitwarden has not issued any public response or patch. This silence has drawn criticism from researchers and users who rely on the platform’s advertised commitment to security.
The vulnerability may not impact confidentiality or availability directly but poses a serious integrity risk. Attackers could exploit it to gain unauthorized access or perform actions on behalf of unsuspecting users.
| Risk Factors | Details |
|---|---|
| Affected Versions | Bitwarden ≤ 2.25.1 |
| Impact | Arbitrary JavaScript execution; session hijacking; credential theft |
| Exploit Prerequisites | Authenticated access, user opens malicious PDF, browser rendering |
| CVSS Score | 3.5 (Medium) |
Mitigation and Recommendations
Until Bitwarden releases a fix, users and organizations are advised to exercise extreme caution. Avoid opening unknown or suspicious PDFs in Bitwarden’s vault, especially those received from third parties.
Security experts recommend considering alternative password managers temporarily if operational risk is high. Administrators should also enforce stricter upload validations, apply content security policies (CSPs), and conduct regular vulnerability assessments.
This incident highlights the ongoing challenges of handling dynamic content like PDFs in web applications. Developers are urged to improve sandboxing and input sanitization when dealing with embedded file formats.
