CVE-2025-70050 in lesspass
Summary
by MITRE • 03/09/2026
An issue pertaining to CWE-312: Cleartext Storage of Sensitive Information was discovered in lesspass lesspass v9.6.9 which allows attackers to obtain sensitive information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2025-70050 represents a critical security flaw in the lesspass password manager version 9.6.9, specifically categorized under CWE-312 which addresses cleartext storage of sensitive information. This classification indicates that the application stores sensitive data in an unencrypted format, making it accessible to unauthorized parties who gain access to the system or application files. The lesspass password manager is designed to securely store and manage user credentials, yet this vulnerability undermines its core security promise by failing to properly encrypt sensitive information during storage operations.
The technical implementation flaw manifests when the application persists sensitive data such as passwords, encryption keys, or other confidential information in cleartext format within local storage mechanisms. This could occur through improper handling of database entries, file system storage, or memory management practices where sensitive fields are written to disk or memory without appropriate encryption. The vulnerability is particularly concerning because password managers are expected to provide the highest level of security for sensitive information, and storing this data in cleartext directly violates fundamental security principles. Attackers who can access the application's storage mechanisms or file system can directly extract these unencrypted credentials, potentially gaining access to multiple accounts and systems that rely on the stored passwords.
The operational impact of this vulnerability extends beyond simple credential theft, as it fundamentally compromises the trust model that password managers are designed to establish. When sensitive information is stored in cleartext, the entire security architecture of the application becomes ineffective, regardless of other security measures such as network encryption or authentication protocols. This vulnerability aligns with ATT&CK technique T1552.001 which focuses on unsecured credentials, and T1003 which covers credential access through various methods including direct access to stored credentials. The risk is amplified in environments where multiple users share systems or where file system access controls are insufficient, as any local user or attacker with read access to the application's storage directories can immediately extract all stored credentials without requiring additional exploitation techniques.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements. The primary fix involves implementing robust encryption mechanisms for all sensitive data storage, utilizing industry-standard encryption algorithms such as AES-256 for data at rest. The application should employ proper key management practices, potentially integrating with secure key storage solutions or hardware security modules. Additionally, implementing proper access controls and file system permissions can help limit exposure even if encryption is not immediately available. Security best practices suggest that all sensitive information should be encrypted before storage, with keys properly managed and separate from the data itself. Organizations using lesspass should immediately update to patched versions, implement additional monitoring for unauthorized access attempts, and consider temporary workarounds such as manual credential rotation for critical systems until proper encryption is implemented. The vulnerability demonstrates the critical importance of following secure coding practices and conducting thorough security reviews of storage mechanisms, particularly for applications handling sensitive user information.