CVE-2025-55000

CVE-2025-55000

Name

CVE-2025-55000

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
MISC	https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1
CONFIRM	https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg

Type

URI

MISC

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

MISC

https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1

CONFIRM

https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg

CPE URI	Source package	Min version	Max version
	openbao	>= 0.1.0	< 2.3.2
`cpe:2.3:a:openbao:openbao::::::::`	openbao	>= None	< 2.3.2

CPE URI

Source package

Min version

Max version

openbao

>= 0.1.0

< 2.3.2

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

openbao

>= None

< 2.3.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openbao	edge-community	2.3.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	fixed
openbao	edge-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.3.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.2-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.1-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.2.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	edge-community	2.1.0-r0	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r3	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r2	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.3.1-r1	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable
openbao	3.22-community	2.1.0-r5	Kevin Daudt <kdaudt@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages