Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-55003
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-09 Aug, 2025 | 03:15
Updated At-12 Aug, 2025 | 20:39

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.7MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CPE Matches
openbao
openbao
>>openbao>>Versions before 2.3.2(exclusive)
cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarysecurity-advisories@github.com
CWE ID: CWE-307
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038security-advisories@github.com
Not Applicable
https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19security-advisories@github.com
Patch
https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3psecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
Source: security-advisories@github.com
Resource:
Not Applicable
Hyperlink: https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
Source: security-advisories@github.com
Resource:
Vendor Advisory
Change History
0Changes found
Details not found