CVE-2025-52893
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52893 is a vulnerability in OpenBao versions before 2.3.0 where processing malformed input data can cause sensitive information such as secrets, certificates, or keys to be leaked in logs. When OpenBao encounters malformed data, its error handling logs detailed error messages that include the actual sensitive values, exposing confidential information. This issue is fixed in OpenBao v2.3.0 and later, and the only mitigation before upgrading is to ensure all client requests are properly formatted to avoid triggering the vulnerability. [3, 4]
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive information in server and audit logs when malformed data is processed. Attackers or unauthorized users with access to these logs could obtain confidential data such as passwords or keys, compromising confidentiality. Although it does not affect data integrity or availability, the leakage of sensitive data can lead to further security risks. There is no known workaround except ensuring all client requests are properly formatted, and affected secrets should be rotated if exposure is detected. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by auditing server and audit logs for error messages that indicate sensitive data leakage when processing malformed input. Specifically, search logs for error patterns like: "error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" or similar messages that include sensitive values in error outputs. Commands to detect this could include using grep or similar tools on log files, for example: `grep -r 'error converting input for field' /var/log/` or `grep -r 'got unconvertible type' /path/to/logs/`. Monitoring network traffic for malformed requests causing such errors may also help, but the primary detection is through log inspection. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Ensuring all client requests are properly formatted to avoid triggering malformed data processing, as there is no known workaround other than this. 2) Auditing existing server and audit logs for any exposure of sensitive data using the error message patterns described. 3) Rotating any secrets that may have been exposed in logs. 4) Upgrading OpenBao to version 2.3.0 or later, or HashiCorp Vault to the fixed versions (Vault Community 1.19.3 or later, Vault Enterprise 1.19.3, 1.18.9, 1.17.16, or 1.16.20) to apply the fix that removes sensitive data from error messages. [3, 4]