CVE Alert: CVE-2025-54999
Vulnerability Summary: CVE-2025-54999
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao’s userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.
Affected Endpoints:
No affected endpoints listed.
Published Date:
8/9/2025, 3:15:46 AM
❄️ CVSS Score:
Exploit Status:
Not ExploitedEPS Score: 0.00017 | Ranking EPS: 0.02385
References:
- https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
- https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
- https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
