CVE-2025-54997

CVE-2025-54997

Name

CVE-2025-54997

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
MISC	https://github.com/openbao/openbao/pull/1634
MISC	https://github.com/openbao/openbao/releases/tag/v2.3.2
CONFIRM	https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp

Type

URI

MISC

https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033

MISC

https://github.com/openbao/openbao/pull/1634

MISC

https://github.com/openbao/openbao/releases/tag/v2.3.2

CONFIRM

https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp

CPE URI	Source package	Min version	Max version
	openbao	>= 0	< 2.3.2

CPE URI

Source package

Min version

Max version

openbao

>= 0

< 2.3.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openbao	edge-community	2.3.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed
openbao	edge-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.3.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r3	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.1.0-r5	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages