CVE-2025-54997
- Source
- https://cve.org/CVERecord?id=CVE-2025-54997
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54997.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-54997
- Aliases
- Downstream
- Related
- Published
- 2025-08-09T01:56:45.634Z
- Modified
- 2026-04-10T05:29:45.097774Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- OpenBao: Privileged Operator May Execute Code on the Underlying Host
- Details
-
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54997.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-94" ] }- References
-
- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
- https://github.com/openbao/openbao/releases/tag/v2.3.2
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54997.json
- https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp
- https://nvd.nist.gov/vuln/detail/CVE-2025-54997
- https://github.com/openbao/openbao/pull/1634
Affected packages
Git / github.com/openbao/openbao
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openbao/openbao
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
api/auth/approle/v0.*
api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1
api/auth/approle/v1.*
api/auth/approle/v1.1.0-development20240408
api/auth/approle/v2.*
api/auth/approle/v2.0.1
api/auth/approle/v2.2.0
api/auth/approle/v2.3.0
api/auth/approle/v2.3.1
api/auth/aws/v0.*
api/auth/aws/v0.1.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1
api/auth/aws/v1.*
api/auth/aws/v1.1.0-development20240408
api/auth/azure/v0.*
api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1
api/auth/azure/v1.*
api/auth/azure/v1.1.0-development20240408
api/auth/gcp/v0.*
api/auth/gcp/v0.1.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1
api/auth/gcp/v1.*
api/auth/gcp/v1.1.0-development20240408
api/auth/kubernetes/v1.*
api/auth/kubernetes/v1.1.0-development20240408
api/auth/kubernetes/v2.*
api/auth/kubernetes/v2.0.1
api/auth/kubernetes/v2.2.0
api/auth/kubernetes/v2.3.0
api/auth/kubernetes/v2.3.1
api/auth/ldap/v1.*
api/auth/ldap/v1.1.0-development20240408
api/auth/ldap/v2.*
api/auth/ldap/v2.0.1
api/auth/ldap/v2.2.0
api/auth/ldap/v2.3.0
api/auth/ldap/v2.3.1
api/auth/userpass/v0.*
api/auth/userpass/v0.1.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1
api/auth/userpass/v1.*
api/auth/userpass/v1.1.0-development20240408
api/auth/userpass/v2.*
api/auth/userpass/v2.0.1
api/auth/userpass/v2.2.0
api/auth/userpass/v2.3.0
api/auth/userpass/v2.3.1
api/v1.*
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.100.0-development20240408
api/v1.2.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2
api/v2.*
api/v2.0.1
api/v2.1.0
api/v2.2.0
api/v2.3.0
api/v2.3.1
Other
before-plugin-removal
dev-namespaces-base-20250215
dev-namespaces-base-20250311
dev-namespaces-base-20250424
sdk/v0.*
sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1
sdk/v1.*
sdk/v1.100.0-development20240408
sdk/v2.*
sdk/v2.0.1
sdk/v2.1.0
sdk/v2.2.0
sdk/v2.3.0
sdk/v2.3.1
v2.*
v2.0.0
v2.0.0-alpha20240329
v2.0.0-beta20240618
v2.1.0-beta20241114
v2.1.0-beta20241114.1
v2.1.0-beta20241114.2
v2.1.0-beta20241114.3
v2.2.0-beta20250213
v2.3.0
v2.3.0-beta20250528
v2.3.1