CVE-2025-54997

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

O

penBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.

References

Link	Resource
https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033	Not Applicable
https://github.com/openbao/openbao/pull/1634	Issue Tracking
https://github.com/openbao/openbao/releases/tag/v2.3.2	Release Notes
https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

History

13 Aug 2025, 18:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-09 03:15

Updated : 2025-08-13 18:23

NVD link : CVE-2025-54997

Mitre link : CVE-2025-54997

CVE.ORG link : CVE-2025-54997

JSON object : View

Products Affected

openbao

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-54997", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2025-08-09T03:15:46.263", "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033", "tags": ["Not Applicable"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/pull/1634", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/releases/tag/v2.3.2", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way."}, {"lang": "es", "value": "OpenBao existe para proporcionar una soluci\u00f3n de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, algunas implementaciones de OpenBao limitan intencionalmente la ejecuci\u00f3n de c\u00f3digo del sistema o el establecimiento de conexiones de red por parte de operadores de API privilegiados. Sin embargo, estos operadores pueden eludir ambas restricciones a trav\u00e9s del subsistema de auditor\u00eda manipulando los prefijos de registro. Esto permite la ejecuci\u00f3n de c\u00f3digo no autorizado y el acceso a la red que infringe el modelo de seguridad previsto. Este problema se solucion\u00f3 en la versi\u00f3n 2.3.2. Como soluci\u00f3n alternativa, los usuarios pueden bloquear el acceso a los endpoints sys/audit/* mediante pol\u00edticas de denegaci\u00f3n expl\u00edcitas, pero los operadores ra\u00edz no pueden restringirse de esta forma."}], "lastModified": "2025-08-13T18:23:12.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5572B591-02AC-4B8F-8956-FC9A606D7F32", "versionEndExcluding": "2.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}