ghsa-prpj-rchp-9j5h
Vulnerability from github
Published
2025-06-26 21:29
Modified
2025-08-12 20:30
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication
Details

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.3.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250625150133-fe75468822a2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T21:29:05Z",
    "nvd_published_at": "2025-06-25T17:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.\n\n### Patches\n\nIn OpenBao v2.2.2 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners.\n\nIn a future OpenBao release [communicated on our website](https://openbao.org/docs/deprecation/), we will set this to `true` for all users and provide an authenticated alternative.\n\nThis vulnerability has been disclosed to HashiCorp; see their website for more information. \n\n### Workarounds\n\nIf an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.\n\n### References\n\nSee the [deprecation notice](https://openbao.org/docs/deprecation/unauthed-rekey/).",
  "id": "GHSA-prpj-rchp-9j5h",
  "modified": "2025-08-12T20:30:31Z",
  "published": "2025-06-26T21:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.1"
    },
    {
      "type": "WEB",
      "url": "https://openbao.org/docs/deprecation"
    },
    {
      "type": "WEB",
      "url": "https://openbao.org/docs/deprecation/unauthed-rekey"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3783"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.