SB2025102835 - Multiple vulnerabilities in OpenBao



SB2025102835 - Multiple vulnerabilities in OpenBao

Published: October 28, 2025

Security Bulletin ID SB2025102835
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 57% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Improper privilege management (CVE-ID: CVE-2025-54997)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to improper privilege management within the API. A remote user with privileged API access can perform actions otherwise restricted to their account.


2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-54998)

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass automatic lockout mechanism.

The vulnerability exists due to an error in the OpenBao Userpass and LDAP auth systems. A remote user attacker can bypass automatic user lockout mechanism and perform brute-force attacks. 


3) Observable discrepancy (CVE-ID: CVE-2025-54999)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to timing difference between non-existent users and users with stored credentials when userpass auth method is used.  A remote attacker can enumerate existing application users. 


4) Improper authentication (CVE-ID: CVE-2025-55000)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass MFA authentication.

The vulnerability exists due to an error caused by an unexpected normalization in the underlying TOTP library. A remote user can bypass MFA authentication and gain unauthorized access to the application. 


5) Protection Mechanism Failure (CVE-ID: CVE-2025-55001)

CWE-ID: CWE-693 - Protection Mechanism Failure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to bypass MFA enforcement.

The vulnerability exists due to insufficient implementation of security measures when handling LDAP authentication requests. A remote user can bypass MFA enforcement and gain unauthorized access to the application. 


6) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2025-55003)

CWE-ID: CWE-307 - Improper Restriction of Excessive Authentication Attempts

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to brute-force one time passwords.

The vulnerability exists due to an error caused by normalization applied by the underlying TOTP library, which lead to code with a whitespace were accepted. Such a whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes.


7) Improper privilege management (CVE-ID: CVE-2025-54996)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper privilege management. A remote user with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy.


Remediation

Install update from vendor's website.

References