Mullvad VPN Web App Passes Independent Security Audit by Assured
Published
- Audit Results: Assured found no critical, high, or medium issues in Mullvad VPN’s web app.
- Fix Implemented: One low-severity input validation flaw was fixed along with minor non-security notes.
- Transparency Focus: Mullvad reaffirms commitment to privacy and continues regular independent security reviews.
Mullvad VPN has announced the completion of an independent security audit of its web application, carried out by cybersecurity firm Assured AB. The audit found no critical, high, or medium-severity vulnerabilities, confirming Mullvad’s continued focus on maintaining strong user privacy and secure infrastructure.
Mullvad Independent Security Audit Overview
The assessment, conducted between August 11 and August 22, 2025, covered Mullvad’s web application, its Onion service setup, the rsync synchronization system, and the content management system (CMS) used for publishing content.
Backend APIs and payment services were not included in the scope. The audit followed the OWASP Web Security Testing Guide, using both manual code review and dynamic testing.
During the evaluation, no security flaws capable of enabling crashes or unauthorized data access were found. One low-severity issue related to input validation was identified and quickly resolved.
Findings and Fixes
Assured’s report confirmed that Mullvad’s web applications and supporting services follow good security practices. The firm reported the following results:
- Critical issues: 0
- High-severity issues: 0
- Medium-severity issues: 0
- Low-severity issues: 1
- Notes (non-security observations): 5
A verification test performed in late September confirmed that the low-severity issue and four of the five minor notes were fixed according to Assured’s recommendations. The remaining note-related to a framework behavior - was accepted since it had no security impact.
The low-severity issue involved missing input length checks for certain form fields. Without limits, these fields could accept unusually large inputs, potentially causing excessive resource use or displaying raw error messages. Mullvad implemented strict input validation and error sanitization to eliminate the risk.
CMS and Infrastructure Security
The CMS application, used internally by Mullvad staff, was also reviewed. It was found to be securely isolated from the public internet and VPN networks, following best practices. The CMS runs on an updated version of Django (4.2.22) and received positive remarks for its patch level, simplicity, and overall design.
Earlier observations around CORS policies and Onion service accessibility were fixed by restricting domain access and blocking administrative routes on the Tor network.
Additional checks confirmed strong configuration of HTTP security headers, Tor Onion services, and rsync synchronization, all operating securely without any major issues.
Commitment to Transparency
Mullvad said that regular, independent security audits are a key part of its privacy-by-design approach. The company emphasized that security reviews help uphold user trust and reinforce its commitment to transparency.
“Security reviews are integral to our privacy commitments - strong security underpins all our privacy-by-design services,” Mullvad stated in its announcement.
The full report from Assured is publicly available on Mullvad’s website.
The latest audit confirms that Mullvad VPN’s web platform maintains a robust security posture, with only minor issues identified and promptly fixed. The company plans to continue commissioning regular third-party audits to ensure ongoing reliability and user protection.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular