CVE-2025-54998
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-11-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenBao versions 0.1.0 through 2.3.1 allows attackers to bypass the automatic user lockout mechanisms in the Userpass or LDAP authentication systems. The issue arises due to different aliasing between pre-flight and full login request user entity alias attributions, enabling attackers to avoid lockout protections designed to prevent brute force attacks. The vulnerability is fixed in version 2.3.2.
How can this vulnerability impact me? :
An attacker could repeatedly attempt to authenticate without being locked out, potentially enabling brute force attacks to guess user credentials. This could lead to unauthorized access or increased risk of credential compromise, although the vulnerability does not directly impact confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenBao to version 2.3.2 or later. As a workaround, apply rate-limiting quotas on the authentication endpoints as described in the OpenBao API documentation at https://openbao.org/api-docs/system/rate-limit-quotas/ to prevent attackers from bypassing the automatic user lockout mechanisms.