CVE-2025-54997

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
https://github.com/openbao/openbao/pull/1634
https://github.com/openbao/openbao/releases/tag/v2.3.2
https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp

Configurations

No configuration.

History

09 Aug 2025, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-09 03:15

Updated : 2025-08-09 03:15

NVD link : CVE-2025-54997

Mitre link : CVE-2025-54997

CVE.ORG link : CVE-2025-54997

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.1 /10