The vulnerability affects the KeePass 2.X branch for Windows, and possibly for Linux and macOS. It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023. It’s unfortunate that the PoC tool is already publicly available and the release of the new version so far off, but the risk of CVE-2023-32784 being abused in the wild is likely to be pretty low, according to the researcher.

  • Yes.

    However, I’m perfectly happy with KeePassXC. It’s audited, secure, has a great UI, and if you want to accept less security can serve as a secret-service and ssh-agent replacement. There are a bunch of OSS tools and clients that support the kbx.v4 file format, and if you want to audit the code of the tools, they’re in almost every language. There are some really nice (pretty, user friendly) native mobile apps.

    There’s risk in grabbing any old client, of course, but having such a diverse ecosystem is nice, especially if you don’t mind reading some code.