CVE-2025-55000

low-risk

Published 2025-08-09

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Openbao

Affected Vendors

Openbao

References (3)

Not Applicable https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reu...

Patch https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99...

Vendor Advisory https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal