CVE-2025-55003
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbao | openbao | to 2.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in OpenBao versions 2.3.1 and below involves the Login Multi-Factor Authentication (MFA) system that uses Time-based One Time Password (TOTP). Due to normalization by the TOTP library, MFA codes containing whitespace were accepted, which allowed bypassing internal rate limiting and enabled reuse of existing MFA codes. This flaw could let attackers reuse MFA codes that should have been invalidated.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass MFA rate limiting and reuse MFA codes, potentially enabling unauthorized access to sensitive data managed by OpenBao. This could compromise the confidentiality of secrets, certificates, and keys stored in the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade OpenBao to version 2.3.2 or later where the issue is fixed. As a workaround, implement rate-limiting quotas on the MFA system to limit an attacker's ability to exploit the vulnerability.