SB2025102826 - Two vulnerabilities in OpenBao
Published: October 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-52893)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into logs. A remote user can read the log and gain access to sensitive data.
2) Improper authorization (CVE-ID: CVE-2025-52894)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing authorization checks. A remote non-authenticated attacker can perform cancellation of root rekey and recovery rekey operations, leading to a denial of service conditions.
Remediation
Install update from vendor's website.
References
- https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a
- https://github.com/go-viper/mapstructure/pull/105
- https://github.com/go-viper/mapstructure/releases/tag/v2.3.0
- https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30
- https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq
- https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b
- https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h