CVE-2025-52893

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-52893
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-52893.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-52893
Aliases
Downstream
Published
2025-06-25T17:15:39Z
Modified
2025-06-27T11:03:06.066879Z
Summary
[none]
Details

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

References

Affected packages

Git / github.com/go-viper/mapstructure

Affected ranges

Type
GIT
Repo
https://github.com/go-viper/mapstructure
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8c61ec1924fcfa522f9fc6b4618c672db61d1a38
Fixed
ed3f92181528ff776a0324107b8b55026e93766a
Type
GIT
Repo
https://github.com/openbao/openbao
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cf5e920badbf96b41253534a3fd5ff5063bf4b30

Affected versions

api/auth/approle/v0.*

api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1

api/auth/approle/v1.*

api/auth/approle/v1.1.0-development20240408

api/auth/approle/v2.*

api/auth/approle/v2.0.1
api/auth/approle/v2.2.0
api/auth/approle/v2.3.0

api/auth/aws/v0.*

api/auth/aws/v0.1.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1

api/auth/aws/v1.*

api/auth/aws/v1.1.0-development20240408

api/auth/azure/v0.*

api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1

api/auth/azure/v1.*

api/auth/azure/v1.1.0-development20240408

api/auth/gcp/v0.*

api/auth/gcp/v0.1.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1

api/auth/gcp/v1.*

api/auth/gcp/v1.1.0-development20240408

api/auth/kubernetes/v1.*

api/auth/kubernetes/v1.1.0-development20240408

api/auth/kubernetes/v2.*

api/auth/kubernetes/v2.0.1
api/auth/kubernetes/v2.2.0
api/auth/kubernetes/v2.3.0

api/auth/ldap/v1.*

api/auth/ldap/v1.1.0-development20240408

api/auth/ldap/v2.*

api/auth/ldap/v2.0.1
api/auth/ldap/v2.2.0
api/auth/ldap/v2.3.0

api/auth/userpass/v0.*

api/auth/userpass/v0.1.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1

api/auth/userpass/v1.*

api/auth/userpass/v1.1.0-development20240408

api/auth/userpass/v2.*

api/auth/userpass/v2.0.1
api/auth/userpass/v2.2.0
api/auth/userpass/v2.3.0

api/v1.*

api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.100.0-development20240408
api/v1.2.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2

api/v2.*

api/v2.0.1
api/v2.1.0
api/v2.2.0
api/v2.3.0

Other

before-plugin-removal
dev-namespaces-base-20250215
dev-namespaces-base-20250311
dev-namespaces-base-20250424
fork-point

sdk/v0.*

sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1

sdk/v1.*

sdk/v1.100.0-development20240408

sdk/v2.*

sdk/v2.0.1
sdk/v2.1.0
sdk/v2.2.0
sdk/v2.3.0

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.6.0

v2.*

v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha20240329
v2.0.0-beta20240618
v2.1.0
v2.1.0-beta20241114
v2.1.0-beta20241114.1
v2.1.0-beta20241114.2
v2.1.0-beta20241114.3
v2.2.0
v2.2.0-beta20250213
v2.2.1
v2.3.0-beta20250528