CVE-2025-55000

EPSS 0.03%
Veröffentlicht 09.08.2025 02:01:16
Zuletzt bearbeitet 13.11.2025 17:55:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openbao ≫ Openbao Version < 2.3.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.09

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-156 Improper Neutralization of Whitespace

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

Not Applicable

https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg

Vendor Advisory

https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-55000

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55000

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55000

EUVD