ByteOS Network

NVD Vulnerability Details :

CVE-2025-54998

Analyzed

Source-security-advisories@github.com

Published At-09 Aug, 2025 | 03:15

Updated At-12 Aug, 2025 | 20:50

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CPE Matches

openbao>>openbao>>Versions from 0.1.0(inclusive) to 2.3.2(exclusive)

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-307	Primary	security-advisories@github.com

References

Hyperlink	Source	Resource
https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035	security-advisories@github.com	Not Applicable
https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc	security-advisories@github.com	Patch
https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx	security-advisories@github.com	Vendor Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History