CVE-2025-54999

CVE-2025-54999

Name

CVE-2025-54999

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.

NVD Severity

low

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
MISC	https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
MISC	https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
CONFIRM	https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357

Type

URI

MISC

https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034

MISC

https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095

MISC

https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626

CONFIRM

https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357

CPE URI	Source package	Min version	Max version
	openbao	>= 0.1.0	< 2.3.2

CPE URI

Source package

Min version

Max version

openbao

>= 0.1.0

< 2.3.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openbao	edge-community	2.3.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed
openbao	edge-community	2.1.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.3.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.1.0-r5	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r3	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages