Vulnerability Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openbao | Openbao | < 2.3.2 |
Related Weaknesses (CWE)
References
- https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limNot Applicable
- https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32edPatch
- https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3pVendor Advisory
FAQ
What is CVE-2025-55003?
CVE-2025-55003 is a vulnerability with a CVSS score of 5.7 (MEDIUM). OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authe...
How severe is CVE-2025-55003?
CVE-2025-55003 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55003?
Check the references section above for vendor advisories and patch information. Affected products include: Openbao Openbao.