CVE-2025-54997Code Injection in Openbao Openbao

CWE-94Code Injection4 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.2%
top 62.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedAug 9
Latest updateAug 11

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2

🔴Vulnerability Details

3
OSV
Privileged OpenBao Operator May Execute Code on the Underlying Host in github.com/openbao/openbao2025-08-11
GHSA
Privileged OpenBao Operator May Execute Code on the Underlying Host2025-08-08
OSV
Privileged OpenBao Operator May Execute Code on the Underlying Host2025-08-08