GHSA-prpj-rchp-9j5h

Source

https://github.com/advisories/GHSA-prpj-rchp-9j5h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-prpj-rchp-9j5h/GHSA-prpj-rchp-9j5h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-prpj-rchp-9j5h

Aliases

Published

2025-06-26T21:29:05Z

Modified

2026-04-01T17:34:48.665426Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenBao allows cancellation of root rekey and recovery rekey operations without authentication

Details

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-06-26T21:29:05Z",
    "nvd_published_at": "2025-06-25T17:15:39Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-306"
    ]
}

References

Affected packages

Go / github.com/openbao/openbao

Package

Name: github.com/openbao/openbao; View open source insights on deps.dev
Purl: pkg:golang/github.com/openbao/openbao

Affected ranges

Type: SEMVER
Events: Introduced

0.1.0

Database specific

last_known_affected_version_range

"< 2.3.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-prpj-rchp-9j5h/GHSA-prpj-rchp-9j5h.json"

Go / github.com/openbao/openbao

Package

Name: github.com/openbao/openbao; View open source insights on deps.dev
Purl: pkg:golang/github.com/openbao/openbao

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20250625150133-fe75468822a2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-prpj-rchp-9j5h/GHSA-prpj-rchp-9j5h.json"