CVE-2025-62513
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-27

Assigner: GitHub, Inc.

Description
OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, resulting in short-lived ACME verification challenge codes being leaked in the audit logs. Additionally, this impacts those using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use. This issue has been patched in OpenBao 2.4.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao openbao to 2.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OpenBao versions 2.2.0 to 2.4.1 is a regression where raw HTTP request bodies were improperly logged in audit logs without proper redaction (HMAC). It affects the ACME functionality of the PKI module by leaking short-lived ACME verification challenge codes, and the OIDC issuer functionality of the identity subsystem by leaking authentication and token response codes along with claims. These sensitive data exposures occur in audit logs, potentially visible to those with access to logs. The issue was fixed in version 2.4.2. [1]

Impact Analysis

The vulnerability can lead to leakage of sensitive information such as ACME verification challenge codes and OIDC authentication and token response codes in audit logs. This exposure can compromise confidentiality by revealing short-lived verification codes and authentication tokens. However, the ACME codes are of limited long-term use as they expire after verification or challenge expiry. Users not using the affected functionalities are not impacted. [1]

Detection Guidance

This vulnerability can be detected by inspecting the audit logs of OpenBao versions 2.2.0 to 2.4.1 for the presence of unredacted raw HTTP request bodies, especially those related to the ACME functionality of the PKI module and the OIDC issuer functionality. Look for leaked ACME verification challenge codes or authentication and token response codes in the logs. Specific commands are not provided in the resources, but reviewing log files for sensitive data exposure in these areas is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenBao to version 2.4.2 or later, where the vulnerability has been patched. Additionally, review and restrict access to audit logs to prevent unauthorized viewing of sensitive data. If upgrading immediately is not possible, consider disabling or limiting the use of the affected ACME and OIDC functionalities until the patch can be applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62513. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart