ByteOS Network

CVE Vulnerability Details :

CVE-2025-55000

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-09 Aug, 2025 | 02:01

Updated At-11 Aug, 2025 | 14:43

▼CVE Numbering Authority (CNA)

OpenBao TOTP Secrets Engine Enables Code Reuse

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

Affected Products

Vendor

openbao

Product

openbao

Versions

Affected

>= 0.1.0, < 2.3.2

Problem Types

Type	CWE ID	Description
CWE	CWE-156	CWE-156: Improper Neutralization of Whitespace

Metrics

Version	Base score	Base severity	Vector
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Hyperlink	Resource
https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg	x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1	x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References