Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-55003

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-09 Aug, 2025 | 02:01
Updated At-11 Aug, 2025 | 14:47
Rejected At-
Credits

OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:09 Aug, 2025 | 02:01
Updated At:11 Aug, 2025 | 14:47
Rejected At:
▼CVE Numbering Authority (CNA)
OpenBao Login MFA Bypasses Rate Limiting and TOTP Token Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.

Affected Products
Vendor
openbao
Product
openbao
Versions
Affected
  • < 2.3.2
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
3.15.7MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 5.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
x_refsource_MISC
Hyperlink: https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
Resource:
x_refsource_MISC
Hyperlink: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:09 Aug, 2025 | 03:15
Updated At:12 Aug, 2025 | 20:39

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.7MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CPE Matches
openbao
openbao
>>openbao>>Versions before 2.3.2(exclusive)
cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarysecurity-advisories@github.com
CWE ID: CWE-307
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038security-advisories@github.com
Not Applicable
https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19security-advisories@github.com
Patch
https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3psecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2025-54998
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.10%
||
7 Day CHG~0.00%
Published-09 Aug, 2025 | 02:00
Updated-12 Aug, 2025 | 20:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenBao Userpass and LDAP User Lockout Bypass

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.

Action-Not Available
Vendor-openbaoopenbao
Product-openbaoopenbao
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-6015
Matching Score-4
Assigner-HashiCorp Inc.
ShareView Details
Matching Score-4
Assigner-HashiCorp Inc.
CVSS Score-5.7||MEDIUM
EPSS-0.01% / 1.01%
||
7 Day CHG~0.00%
Published-01 Aug, 2025 | 18:03
Updated-13 Aug, 2025 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse

Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Action-Not Available
Vendor-HashiCorp, Inc.
Product-vaultVault EnterpriseVault
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
Details not found