x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx

Advisory [GHSA-j3xv-7fxp-gfhx](https://github.com/advisories/GHSA-j3xv-7fxp-gfhx) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/openbao/openbao](https://pkg.go.dev/github.com/openbao/openbao) |

Description:
### Impact

Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. 

### Patches

OpenBao v2.3.2 will patch this issue.

### Workarounds

Existing users may apply rate-limiting quotas on the authentication endpoints: https://openbao.org/api-docs/system/rate-limit-quotas/

### References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

- https://discuss.hashicorp.com/t/hcsec-2025-16-vaul...

References:
- ADVISORY: https://github.com/advisories/GHSA-j3xv-7fxp-gfhx
- ADVISORY: https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx
- FIX: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
- WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-6004

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/openbao/openbao
      versions:
        - fixed: 0.0.0-20250807212521-c52795c1ef74
        - introduced: 0.1.0
      non_go_versions:
        - fixed: 2.3.2
summary: OpenBao Userpass and LDAP User Lockout Bypass in github.com/openbao/openbao
cves:
    - CVE-2025-54998
ghsas:
    - GHSA-j3xv-7fxp-gfhx
references:
    - advisory: https://github.com/advisories/GHSA-j3xv-7fxp-gfhx
    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx
    - fix: https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc
    - web: https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035
    - web: https://nvd.nist.gov/vuln/detail/CVE-2025-6004
notes:
    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: latest version (0.0.0-20250808111916-d645c4300d72) is before last introduced version'
source:
    id: GHSA-j3xv-7fxp-gfhx
    created: 2025-08-08T15:01:25.003133707Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx #3855

Impact

Patches

Workarounds

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx #3855

Description

Impact

Patches

Workarounds

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions