CVE-2025-55003

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-307"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55003.json"
}

References

Affected packages

Git / github.com/openbao/openbao

Affected ranges

Type: GIT
Repo: https://github.com/openbao/openbao
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b1a68f558c89d18d38fbb8675bb6fc1d90b71e98

Affected versions

api/auth/approle/v0.*

api/auth/approle/v0.1.0

api/auth/approle/v0.1.1

api/auth/approle/v0.2.0

api/auth/approle/v0.3.0

api/auth/approle/v0.4.0

api/auth/approle/v0.4.1

api/auth/approle/v1.*

api/auth/approle/v1.1.0-development20240408

api/auth/approle/v2.*

api/auth/approle/v2.0.1

api/auth/approle/v2.2.0

api/auth/approle/v2.3.0

api/auth/approle/v2.3.1

api/auth/aws/v0.*

api/auth/aws/v0.1.0

api/auth/aws/v0.2.0

api/auth/aws/v0.3.0

api/auth/aws/v0.4.0

api/auth/aws/v0.4.1

api/auth/aws/v1.*

api/auth/aws/v1.1.0-development20240408

api/auth/azure/v0.*

api/auth/azure/v0.1.0

api/auth/azure/v0.2.0

api/auth/azure/v0.3.0

api/auth/azure/v0.4.0

api/auth/azure/v0.4.1

api/auth/azure/v1.*

api/auth/azure/v1.1.0-development20240408

api/auth/gcp/v0.*

api/auth/gcp/v0.1.0

api/auth/gcp/v0.2.0

api/auth/gcp/v0.3.0

api/auth/gcp/v0.4.0

api/auth/gcp/v0.4.1

api/auth/gcp/v1.*

api/auth/gcp/v1.1.0-development20240408

api/auth/kubernetes/v1.*

api/auth/kubernetes/v1.1.0-development20240408

api/auth/kubernetes/v2.*

api/auth/kubernetes/v2.0.1

api/auth/kubernetes/v2.2.0

api/auth/kubernetes/v2.3.0

api/auth/kubernetes/v2.3.1

api/auth/ldap/v1.*

api/auth/ldap/v1.1.0-development20240408

api/auth/ldap/v2.*

api/auth/ldap/v2.0.1

api/auth/ldap/v2.2.0

api/auth/ldap/v2.3.0

api/auth/ldap/v2.3.1

api/auth/userpass/v0.*

api/auth/userpass/v0.1.0

api/auth/userpass/v0.2.0

api/auth/userpass/v0.3.0

api/auth/userpass/v0.4.0

api/auth/userpass/v0.4.1

api/auth/userpass/v1.*

api/auth/userpass/v1.1.0-development20240408

api/auth/userpass/v2.*

api/auth/userpass/v2.0.1

api/auth/userpass/v2.2.0

api/auth/userpass/v2.3.0

api/auth/userpass/v2.3.1

api/v1.*

api/v1.0.1

api/v1.0.2

api/v1.0.3

api/v1.0.4

api/v1.1.1

api/v1.100.0-development20240408

api/v1.2.0

api/v1.3.1

api/v1.5.0

api/v1.6.0

api/v1.7.0

api/v1.7.1

api/v1.7.2

api/v1.8.0

api/v1.8.1

api/v1.8.2

api/v1.8.3

api/v1.9.0

api/v1.9.1

api/v1.9.2

api/v2.*

api/v2.0.1

api/v2.1.0

api/v2.2.0

api/v2.3.0

api/v2.3.1

Other

before-plugin-removal

dev-namespaces-base-20250215

dev-namespaces-base-20250311

dev-namespaces-base-20250424

sdk/v0.*

sdk/v0.1.10

sdk/v0.1.11

sdk/v0.1.12

sdk/v0.1.13

sdk/v0.1.8

sdk/v0.1.9

sdk/v0.2.1

sdk/v0.3.0

sdk/v0.4.1

sdk/v0.5.0

sdk/v0.5.1

sdk/v0.5.3

sdk/v0.6.0

sdk/v0.6.1

sdk/v0.6.2

sdk/v0.7.0

sdk/v0.8.0

sdk/v0.9.0

sdk/v0.9.1

sdk/v1.*

sdk/v1.100.0-development20240408

sdk/v2.*

sdk/v2.0.1

sdk/v2.1.0

sdk/v2.2.0

sdk/v2.3.0

sdk/v2.3.1

v2.*

v2.0.0

v2.0.0-alpha20240329

v2.0.0-beta20240618

v2.1.0-beta20241114

v2.1.0-beta20241114.1

v2.1.0-beta20241114.2

v2.1.0-beta20241114.3

v2.2.0-beta20250213

v2.3.0

v2.3.0-beta20250528

v2.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55003.json"