CVE-2025-52894
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52894 is a vulnerability in OpenBao versions before 2.3.0 where unauthenticated attackers can access certain rekey cancellation endpoints without any authentication or audit. This allows them to cancel root rekey and recovery rekey operations, which are critical for managing sensitive keys and secrets. The cancellation can disrupt legitimate rekey processes, causing a denial of service. These endpoints were not audited, so such attacks might not be logged. A configuration option was introduced to disable these unauthenticated endpoints, and future versions will disable them by default and provide authenticated alternatives. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to interrupt and cancel critical rekey operations in OpenBao, leading to denial of service. While it does not affect confidentiality or integrity, it can cause service disruption by preventing legitimate rekeying of root and recovery keys. This could delay or block key management processes necessary for secure operation. Mitigations include disabling unauthenticated access to these endpoints via configuration or network controls. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability can be attempted by monitoring for unauthenticated requests to the rekey cancellation endpoints, specifically DELETE requests to /sys/rekey/init and /sys/rekey-recovery-key/init. Although these unauthenticated requests are not audited by default, a log entry such as 'rekey initialized: nonce=... shares=1 threshold=1 validation_required=false' might appear if an attacker initiates a rekey operation, which ultimately fails. Network monitoring tools or intrusion detection systems can be configured to alert on such DELETE requests to these endpoints. Commands to detect such activity could include using tools like curl or wget to test access, for example: curl -X DELETE http://<openbao-server>/sys/rekey/init -v to see if the endpoint accepts unauthenticated requests. Additionally, network packet capture tools like tcpdump or Wireshark can be used to filter HTTP DELETE requests to these paths. However, no specific detection commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Manually setting the configuration option disable_unauthed_rekey_endpoints=true on global listeners in OpenBao version 2.2.2 and later to disable unauthenticated access to the vulnerable rekey endpoints. 2) If an active proxy or load balancer is in front of OpenBao, configure it to deny requests to the /sys/rekey/* and /sys/rekey-recovery-key/* endpoints from unauthorized IP ranges. 3) Plan to upgrade to OpenBao version 2.4.0 or later, where disable_unauthed_rekey_endpoints will default to true and an authenticated alternative endpoint will be provided. These steps will prevent unauthenticated cancellation of root and recovery rekey operations and reduce the risk of denial of service. [1, 3, 4]