Cyber Resilience

CVE-2024-33901

MediumPublic PoC

Published: 20 May 2024

Published
20 May 2024
Modified
13 June 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2377 96.1th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33901 is a medium-severity Cleartext Storage of Sensitive Information in Memory (CWE-316) vulnerability in Keepassxc Keepassxc. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-33901 affects KeePassXC 2.7.7 and stems from memory-management behavior that leaves portions of decrypted .kdbx database contents, including some stored passwords, readable in process memory. The flaw is tracked under CWE-316 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and low-privileged access resulting in high confidentiality impact.

An attacker who already possesses the privileges of the victim user can obtain a memory dump of the KeePassXC process and extract the exposed password material. Because the issue is inherent to the current design constraints around keeping decrypted data in RAM for usability, the vendor disputes that the behavior constitutes a vulnerability that can be eliminated without unacceptable trade-offs.

Public references, including the KeePassXC issue tracker and the project’s prior memory-security write-up, indicate no patch is planned and reiterate that realistic alternatives still require sensitive data to reside in process memory during active sessions. The associated EPSS score has remained flat at 0.2377 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Issue in KeePassXC 2.7.7 allows an attacker (who has the privileges of the victim) to recover some passwords stored in the .kdbx database via a memory dump. NOTE: the vendor disputes this because memory-management constraints make this unavoidable in the…

more

current design and other realistic designs.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

keepassxc
keepassxc
2.7.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References