GHSA-xp75-r577-cvhp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xp75-r577-cvhp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-xp75-r577-cvhp/GHSA-xp75-r577-cvhp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xp75-r577-cvhp
- Aliases
- Published
- 2025-08-08T14:37:22Z
- Modified
- 2025-08-11T18:42:08.124490Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Privileged OpenBao Operator May Execute Code on the Underlying Host
- Details
-
Impact
Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
Users may deny all access to the
sys/audit/*interface (withcreateandupdate) permission via policies with explicit deny grants. This would not restrictrootlevel operators, however, for whom there are no workarounds.This interface allowed arbitrary filesystem and network (write) access as the user the OpenBao server was running as; in conjunction with allowing custom plugins or other system processes this may enable code execution.
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
- https://nvd.nist.gov/vuln/detail/CVE-2025-6000
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-08-09T03:15:46Z", "cwe_ids": [ "CWE-94" ], "github_reviewed_at": "2025-08-08T14:37:22Z", "severity": "CRITICAL" }- References
-
- https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp
- https://nvd.nist.gov/vuln/detail/CVE-2025-54997
- https://nvd.nist.gov/vuln/detail/CVE-2025-6000
- https://github.com/openbao/openbao/pull/1634
- https://github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2
- https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
- https://github.com/openbao/openbao
- https://github.com/openbao/openbao/releases/tag/v2.3.2
Affected packages
Go / github.com/openbao/openbao
Package
- Name
- github.com/openbao/openbao
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openbao/openbao
Go / github.com/openbao/openbao
Package
- Name
- github.com/openbao/openbao
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/openbao/openbao