CVE-2025-52893

CVE-2025-52893

Name

CVE-2025-52893

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717
MISC	https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a
MISC	https://github.com/go-viper/mapstructure/pull/105
MISC	https://github.com/go-viper/mapstructure/releases/tag/v2.3.0
MISC	https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30
CONFIRM	https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq

Type

URI

MISC

https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717

MISC

https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a

MISC

https://github.com/go-viper/mapstructure/pull/105

MISC

https://github.com/go-viper/mapstructure/releases/tag/v2.3.0

MISC

https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30

CONFIRM

https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq

CPE URI	Source package	Min version	Max version
	openbao	>= 0	< 2.3.0
`cpe:2.3:a:openbao:openbao::::::::`	openbao	>= None	< 2.3.0

CPE URI

Source package

Min version

Max version

openbao

>= 0

< 2.3.0

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

openbao

>= None

< 2.3.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openbao	edge-community	2.3.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed
openbao	edge-community	2.2.2-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.1.0-r5	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

openbao

edge-community

2.3.1-r0

Kevin Daudt <kdaudt@alpinelinux.org>

fixed

openbao

edge-community