CVE-2025-55001
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-156 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenBao versions 2.3.1 and below, where the LDAP authentication method with the parameter username_as_alias=true allowed the use of caller-supplied usernames without normalization. This flaw enabled attackers to bypass multi-factor authentication (MFA) requirements that were assigned based on entity aliases, potentially allowing unauthorized access. The issue was fixed in version 2.3.2 by removing this behavior.
How can this vulnerability impact me? :
An attacker could bypass MFA protections by exploiting the lack of normalization in usernames when username_as_alias=true is used in LDAP authentication. This could lead to unauthorized access to sensitive data managed by OpenBao, including secrets, certificates, and keys, potentially compromising confidentiality and integrity of critical information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, remove all usage of the username_as_alias=true parameter in the LDAP authentication method and update any entity aliases accordingly. Additionally, upgrade OpenBao to version 2.3.2 or later where this issue is fixed.