CVE-2025-52893Log File Information Exposure in Openbao Openbao SDK V2

CWE-532Log File Information Exposure5 documents3 sources
Severity
4.5MEDIUMNVD
GHSA6.5OSV6.5
EPSS
0.0%
top 93.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao Openbao SDK V2Openbao
Timeline
PublishedJun 25
Latest updateJul 28

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages2 packages

NVDopenbao/openbao< 2.3.0

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
OpenBao Inserts Sensitive Information into Log File when processing malformed data in github.com/openbao/openbao/sdk2025-07-28
GHSA
OpenBao Inserts Sensitive Information into Log File when processing malformed data2025-06-26
OSV
OpenBao Inserts Sensitive Information into Log File when processing malformed data2025-06-26
OSV
CVE-2025-52893: OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys2025-06-25