CVE-2025-62705Log File Information Exposure in Openbao Openbao

CWE-532Log File Information Exposure4 documents3 sources
Severity
5.7MEDIUMNVD
EPSS
0.0%
top 86.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedOct 22
Latest updateOct 30

Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDopenbao/openbao< 2.4.2
Gogithub.com/openbao_openbao< 0.0.0-20251022165510-cc2c476bac66

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao2025-10-30
GHSA
OpenBao and Vault Leak []byte Fields in Audit Logs2025-10-22
OSV
OpenBao and Vault Leak []byte Fields in Audit Logs2025-10-22