CVE-2025-54997

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033	Not Applicable
https://github.com/openbao/openbao/pull/1634	Issue Tracking
https://github.com/openbao/openbao/releases/tag/v2.3.2	Release Notes
https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

History

13 Aug 2025, 18:23

Type	Values Removed	Values Added
First Time		Openbao openbao Openbao
CPE		cpe:2.3:a:openbao:openbao::::::::
References	~~() https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033 -~~	() https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033 - Not Applicable
References	~~() https://github.com/openbao/openbao/pull/1634 -~~	() https://github.com/openbao/openbao/pull/1634 - Issue Tracking
References	~~() https://github.com/openbao/openbao/releases/tag/v2.3.2 -~~	() https://github.com/openbao/openbao/releases/tag/v2.3.2 - Release Notes
References	~~() https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp -~~	() https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp - Vendor Advisory

11 Aug 2025, 18:32

Type	Values Removed	Values Added
Summary		(es) OpenBao existe para proporcionar una solución de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, algunas implementaciones de OpenBao limitan intencionalmente la ejecución de código del sistema o el establecimiento de conexiones de red por parte de operadores de API privilegiados. Sin embargo, estos operadores pueden eludir ambas restricciones a través del subsistema de auditoría manipulando los prefijos de registro. Esto permite la ejecución de código no autorizado y el acceso a la red que infringe el modelo de seguridad previsto. Este problema se solucionó en la versión 2.3.2. Como solución alternativa, los usuarios pueden bloquear el acceso a los endpoints sys/audit/* mediante políticas de denegación explícitas, pero los operadores raíz no pueden restringirse de esta forma.

09 Aug 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-09 03:15

Updated : 2025-08-13 18:23

NVD link : CVE-2025-54997

Mitre link : CVE-2025-54997

CVE.ORG link : CVE-2025-54997

JSON object : View

Products Affected

openbao

openbao

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.1 /10