2025.8.1 Release Notes

Announcements Release Notes
1

2025.8.1

(The listed release number is for the Bitwarden Server, other version numbers released in this cycle also include Web 2025.8.2 and Mobile 2025.8.1)

:warning: Note

Helm Charts Versioning Update: For Bitwarden self-host Helm charts, the CalVer versioning scheme (2025.8.0) will be deprecated on November 13, 2025. After this date, only SemVer versions will be supported and released.

You can start using SemVer 1.0.0 now, however note that until November 13, 2025, you must always specify --version <semver-version> during upgrades:

helm upgrade self-host-bsfyr9bpzk bitwarden/self-host --version <semver-version> -n bitwarden

 

Password Manager

  • Card autofill for Android: The Bitwarden Android app can now autofill cards, such as debit or credit cards. Learn more here.

  • Failed 2FA emails: Users will now receive an email notifying them of failed login attempts that were prevented by two-step login. If you receive these emails, update your master password immediately to one that is strong, unique, and has never been used before. Learn more here.

Secrets Manager

  • New event logs: Secrets Manager will now log events when projects are accessed, created, edited, or deleted. Learn more here.

 

Additions from the GitHub releases:

Server 2025.8.1

  • Removed feature flags
  • Added once-per-hour limit to email notifications for failed 2FA
  • Dependency updates, bug fixes, and small improvements

 

Web 2025.8.2

  • Dependency updates, bug fixes, and small improvements

 

Web 2025.8.3

  • Bug Fixes

 

Android Password Manager 2025.8.1 (20670) – Overview

  • Added support for autofilling credit cards.
  • Resolved a bug that caused autofill to fail and redirect users back to the vault on some devices.
  • Fixed a crash occurring immediately after opening a vault entry on some devices.
  • Addressed an issue where the Identity Address ‘State’ field was not displaying correctly.
  • Various under the hood improvements.

 

Android Authenticator 2025.8.1 (755) – Overview

  • Various under the hood improvements.

 

iOS Password manager 2025.8.1 (2490) – Overview

  • Fixed an issue where using a passkey with Master Password Reprompt could log users out and reset vault timeout settings.
  • Resolved an issue where exporting individual vaults for organization users didn’t generate an event in the event log.

 

iOS Authenticator 2025.8.1 (165) – Overview

  • Updated app icons to use the new Icon Composer in preparation for iOS 26

 

To keep everything in one place, new versions within this Release cycle will be added to this first post.

2 Likes
3

This feature also introduces the ability on Android to autosave credit card details you enter into forms without having to create the card manually in Bitwarden first.

2 Likes
4

:warning: It is important for users to know that Bitwarden no longer sends any email notices as a result of multiple failed login attempts in which an incorrect master password was entered (e.g., a credential stuffing attack or a brute-force attack).

In addition, unless there have been behind-the-scenes changes that have not been announced, Bitwarden apparently does not meaningfully rate-limit repeated failed login attempts, or implement standard brute-force protections such as exponential backoff — no matter whether the login fails at the password entry stage or at the 2FA stage. Recent experiences indicate that attackers can make thousands of rapid-fire login attempts, with an average delay on the order 30 seconds. In this context, it is also important to know that Bitwarden now only sends the user at most one email notification per hour, so by the time that the email arrives, the attacker has already tested hundreds of 2FA codes.

I think that this is an area in which Bitwarden can do much better.

1 Like
5

Hey @grb, rate limiting is in place and the team is continuously reviewing it.

1 Like
Denial (Expiration) of Repeated Login Attempts; time based or repetition based
6

Is this something that changed after the user experiences that were reported in the recent thread discussing the matter (i.e., in the past two weeks)? Because the rate-limiting that was in effect at that time did not seem effective, with thousands of attempts being made in the span of hours.

1 Like
7

Along with the fact that those users were not receiving any type of notification emails from bitwarden at all (so they had no idea what was going on). To me, that seems like a pretty darned egregious error (out of character for the Bitwarden team). Why aren’t we hearing from Bitwarden more details about what happened leading up to that day?