x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-f7c3-mhj2-9pvg #3853
Description
Advisory GHSA-f7c3-mhj2-9pvg references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/openbao/openbao |
Description:
Impact
OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.
Patches
OpenBao v2.3.2 will patch this issue.
In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.
Workarounds
TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.
References
This issue w...
References:
- ADVISORY: GHSA-f7c3-mhj2-9pvg
- ADVISORY: GHSA-f7c3-mhj2-9pvg
- FIX: openbao/openbao@183891f
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
- WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/openbao/openbao
versions:
- fixed: 0.0.0-20250806193153-183891f8d535
- introduced: 0.1.0
non_go_versions:
- fixed: 2.3.2
summary: OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao
cves:
- CVE-2025-55000
ghsas:
- GHSA-f7c3-mhj2-9pvg
references:
- advisory: https://github.com/advisories/GHSA-f7c3-mhj2-9pvg
- advisory: https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg
- fix: https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1
- web: https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
- web: https://nvd.nist.gov/vuln/detail/CVE-2025-6014
notes:
- fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250808111916-d645c4300d72) is before last introduced version'
source:
id: GHSA-f7c3-mhj2-9pvg
created: 2025-08-08T15:01:23.459715491Z
review_status: UNREVIEWED