CVE-2025-54999
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-11-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in OpenBao versions 0.1.0 through 2.3.1 allows an attacker to perform user enumeration via the userpass authentication method. The issue arises because the system responds with different timing for non-existent users compared to users with stored credentials, regardless of whether the supplied credentials are valid. This timing difference can be exploited to discover valid usernames. The vulnerability was fixed in version 2.3.2.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to identify valid usernames in the system through timing attacks. This can facilitate further attacks such as targeted password guessing or social engineering. However, the impact is limited as the CVSS score is low (3.7) and it does not directly compromise confidentiality, integrity, or availability of data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenBao to version 2.3.2 or later where the issue is fixed. Alternatively, you can use a different authentication method instead of the userpass auth method, or apply rate limiting quotas to limit the number of authentication requests in a given period of time.