{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55000", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-04T17:34:24.421Z", "datePublished": "2025-08-09T02:01:16.409Z", "dateUpdated": "2025-08-11T14:43:10.004Z"}, "containers": {"cna": {"title": "OpenBao TOTP Secrets Engine Enables Code Reuse", "problemTypes": [{"descriptions": [{"cweId": "CWE-156", "lang": "en", "description": "CWE-156: Improper Neutralization of Whitespace", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"}, {"name": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"}, {"name": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036", "tags": ["x_refsource_MISC"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"version": ">= 0.1.0, < 2.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T02:01:16.409Z"}, "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."}], "source": {"advisory": "GHSA-f7c3-mhj2-9pvg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T14:42:51.463552Z", "id": "CVE-2025-55000", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T14:43:10.004Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55000", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-11T14:42:51.463552Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T14:43:02.550Z"}}], "cna": {"title": "OpenBao TOTP Secrets Engine Enables Code Reuse", "source": {"advisory": "GHSA-f7c3-mhj2-9pvg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openbao", "product": "openbao", "versions": [{"status": "affected", "version": ">= 0.1.0, < 2.3.2"}]}], "references": [{"url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg", "name": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1", "name": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1", "tags": ["x_refsource_MISC"]}, {"url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036", "name": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-156", "description": "CWE-156: Improper Neutralization of Whitespace"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T02:01:16.409Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55000", "state": "PUBLISHED", "dateUpdated": "2025-08-11T14:43:10.004Z", "dateReserved": "2025-08-04T17:34:24.421Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-09T02:01:16.409Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACF9965E-337F-45A7-92E4-5D36A7FC7C9A", "versionEndExcluding": "2.3.2", "versionStartIncluding": "0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."}, {"lang": "es", "value": "OpenBao existe para proporcionar una soluci\u00f3n de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 0.1.0 a 2.3.1, el motor de secretos TOTP de OpenBao pod\u00eda aceptar c\u00f3digos v\u00e1lidos varias veces en lugar de solo una. Esto se deb\u00eda a una normalizaci\u00f3n inesperada en la librer\u00eda TOTP subyacente. Para solucionar este problema, aseg\u00farese de que todos los c\u00f3digos se normalicen antes de enviarlos al endpoint de OpenBao. La verificaci\u00f3n de c\u00f3digos TOTP es una acci\u00f3n privilegiada; solo los sistemas de confianza deben verificar los c\u00f3digos."}], "id": "CVE-2025-55000", "lastModified": "2025-08-12T20:44:13.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-09T03:15:46.737", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-156"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}