CVE-2025-54999
LOWDescription
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| openbao | openbao |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-54999? +
How severe is CVE-2025-54999? +
What products are affected by CVE-2025-54999? +
How do I check if I'm vulnerable to CVE-2025-54999? +
Related Vulnerabilities
A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types.
Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. In versions 0.8.0b2 …
Helix ALM prior to 2025.1 returns distinct error responses during authentication, allowing an attacker to determine whether a username exists.
Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers …
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially …
darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers …