CVE-2025-55000Improper Neutralization of Whitespace in Openbao Openbao

CWE-156Improper Neutralization of Whitespace7 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 89.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Openbao OpenbaoOpenbaoGoogle Chrome Chrome
Timeline
PublishedAug 9
Latest updateOct 28

Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only tru

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDopenbao/openbao< 2.3.2
Gogithub.com/openbao_openbao0.1.02.3.2+2
CVEListV5openbao/openbao>= 0.1.0, < 2.3.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao TOTP Secrets Engine Code Reuse in github.com/openbao/openbao2025-08-11
OSV
OpenBao TOTP Secrets Engine Code Reuse2025-08-08
GHSA
OpenBao TOTP Secrets Engine Code Reuse2025-08-08

📋Vendor Advisories

3
Chrome
Stable Channel Update for Desktop: CVE-2025-132262025-10-28
Chrome
Stable Channel Update for Desktop: CVE-2025-132292025-10-28
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2025-19162025-03-18