With the amount of data breaches in the rounds at the moment, it is more and more important to not share password between sites or services. But to keep track of all your different passwords, a password manager is less of a luxury and more of a necessity. While we have not implemented a step-by-step to install a password manager in our Build your own homelab series, we have looked at Vaultwarden as a service before. However, Bitwarden is also a hugely popular choice, trusted by millions for its robust security, open-source nature, and flexibility.
One of Bitwarden’s standout features, especially for the tech-savvy and privacy-conscious, is the ability to self-host. Instead of relying on Bitwarden’s cloud servers, you can run your own Bitwarden instance on your own hardware, as you can with Vaultwarden. Recently, a vulnerability (identified broadly as CVE-2025-5138) highlighted a potential risk in how some versions of Bitwarden (up to version 2.25.1) handled PDF file attachments. Let’s break down what this means in plain English.
What Was the Bitwarden PDF Vulnerability?
Imagine you use Bitwarden not just for passwords, but also to store sensitive documents, perhaps as PDF attachments. The vulnerability in question concerned how Bitwarden’s system, particularly in its web-based vault, dealt with these PDFs.
In simple terms, it was discovered that a cleverly crafted, malicious PDF file could potentially be uploaded to a Bitwarden vault. This wasn’t your average PDF; it would contain hidden code (specifically, JavaScript).
What’s the risk? If a user then opened or previewed this “booby-trapped” PDF within their Bitwarden web vault, that hidden code could run within their browser. Because it runs “inside” the Bitwarden environment, it could potentially be used by an attacker to perform actions as if they were the logged-in user. This is a type of attack called Cross-Site Scripting (XSS). While exploiting this would require several steps and user interaction, it represents a crack in the armour that needs to be addressed.
The core issue was that the system didn’t sufficiently check or ‘cleanse’ the uploaded PDFs to ensure they didn’t contain this kind of active, potentially harmful code.
Self-Hosting Security: Bitwarden vs. Vaultwarden
When you self-host, you take on the security management. This brings us to a common comparison: the official Bitwarden self-hosted setup versus Vaultwarden.
- Bitwarden (Official): This is the version provided directly by the Bitwarden company.
- Pros: It’s the official, fully supported version. It undergoes regular professional security audits, and you can pay for enterprise features and support. Its development aligns directly with the company’s roadmap.
- Cons: It’s designed for scalability and can be quite resource-hungry, often requiring multiple Docker containers and a fair amount of RAM. This can be overkill (and costly) for personal users or small families. Some features might still require a paid license even when self-hosted.
- Vaultwarden (Community): Originally known as
bitwarden_rs, this is an alternative implementation of the Bitwarden server written in Rust. It’s API-compatible, meaning you can use the official Bitwarden apps (desktop, mobile, browser extensions) with it.- Pros: It is incredibly lightweight, running as a single, small container and consuming minimal resources (perfect for Raspberry Pi or low-spec servers). It’s developed by a dedicated community, is fully open-source, and often includes many ‘premium’ Bitwarden features for free. Updates can be frequent.
- Cons: It’s not official. It doesn’t undergo the same rigorous, paid third-party security audits as the official Bitwarden. While the code is open and generally considered secure (and Rust itself offers some safety benefits), you’re relying on community vigilance and support. There can sometimes be a slight lag or minor compatibility issues when Bitwarden makes major changes to its official clients.
In essence: Bitwarden offers audited, official security but requires more resources. Vaultwarden offers a lightweight, feature-rich experience with community-driven security, which many find perfectly adequate (and preferable) for personal use, especially when combined with good server-hardening practices.
Patching the Vulnerability: What Self-Hosters Need to Do
If you are self-hosting the official Bitwarden, keeping it updated is crucial. Bitwarden has addressed vulnerabilities like the PDF issue in newer releases. The update process is generally straightforward if you used the standard installation scripts.
Here’s the typical update process (run these commands from your Bitwarden installation directory):
For Linux/macOS:
./bitwarden.sh updateself
./bitwarden.sh update
For Windows (using PowerShell):
.\bitwarden.ps1 -updateself
.\bitwarden.ps1 -update
The updateself command updates the script itself, and the update command pulls the latest Docker images and restarts your Bitwarden containers. If you installed manually or offline, refer to the official Bitwarden documentation for specific instructions.
If you use Vaultwarden: You also need to keep it updated. How you do this depends on how you installed it (e.g., updating the Docker image and restarting the container). Keep an eye on the Vaultwarden GitHub page or community forums for update news.
Conclusion: Is It Time to Look at Vaultwarden?
Security vulnerabilities are a fact of life in software, even for excellent products like Bitwarden. The key is how quickly they are addressed and how diligent users are about updating.
For self-hosters, this recent PDF vulnerability serves as a reminder of the need to stay current. It also presents an opportunity to review your setup. If you’re running the official Bitwarden stack and find its resource demands a bit heavy, or if you’re drawn to a more community-driven, ‘all-features-unlocked’ experience, Vaultwarden is an incredibly compelling alternative.
It offers the core Bitwarden experience – secure, cross-platform password management – but in a package that’s significantly easier on your server and potentially simpler to manage for home or small-scale use. While you trade official audits for community oversight, many self-hosters find this a worthwhile trade-off for the efficiency and features gained. If you’re managing your own server, Vaultwarden’s blend of power, lightness, and community spirit makes it a strong contender worthy of serious consideration.
We aren’t saying that the same or different type of vulnerability cannot exist in Vaultwarden, but this should serve as a reminder to keep your installations updated and to take security serious in your homelab, regardless of if you choose Vaultwarden or Bitwarden.