CWE-156
AllowedImproper Neutralization of Whitespace
Abstraction: Variant · Status: Draft
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.
9 vulnerabilities reference this CWE, most recent first.
CVE-2025-55001 (GCVE-0-2025-55001)
Vulnerability from cvelistv5 – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:45- CWE-156 - Improper Neutralization of Whitespace
| URL | Tags |
|---|---|
| https://github.com/openbao/openbao/security/advis… | x_refsource_CONFIRM |
| https://github.com/openbao/openbao/commit/c52795c… | x_refsource_MISC |
| https://discuss.hashicorp.com/t/hcsec-2025-20-vau… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T14:45:22.660667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T14:45:37.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openbao",
"vendor": "openbao",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-156",
"description": "CWE-156: Improper Neutralization of Whitespace",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T02:01:29.056Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
},
{
"name": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
},
{
"name": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
}
],
"source": {
"advisory": "GHSA-2q8q-8fgw-9p6p",
"discovery": "UNKNOWN"
},
"title": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55001",
"datePublished": "2025-08-09T02:01:29.056Z",
"dateReserved": "2025-08-04T17:34:24.421Z",
"dateUpdated": "2025-08-11T14:45:37.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55000 (GCVE-0-2025-55000)
Vulnerability from cvelistv5 – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:43- CWE-156 - Improper Neutralization of Whitespace
| URL | Tags |
|---|---|
| https://github.com/openbao/openbao/security/advis… | x_refsource_CONFIRM |
| https://github.com/openbao/openbao/commit/183891f… | x_refsource_MISC |
| https://discuss.hashicorp.com/t/hcsec-2025-17-vau… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T14:42:51.463552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T14:43:10.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openbao",
"vendor": "openbao",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.0, \u003c 2.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao\u0027s TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-156",
"description": "CWE-156: Improper Neutralization of Whitespace",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T02:01:16.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
},
{
"name": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
},
{
"name": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
}
],
"source": {
"advisory": "GHSA-f7c3-mhj2-9pvg",
"discovery": "UNKNOWN"
},
"title": "OpenBao TOTP Secrets Engine Enables Code Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55000",
"datePublished": "2025-08-09T02:01:16.409Z",
"dateReserved": "2025-08-04T17:34:24.421Z",
"dateUpdated": "2025-08-11T14:43:10.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6014 (GCVE-0-2025-6014)
Vulnerability from cvelistv5 – Published: 2025-08-01 17:50 – Updated: 2025-08-01 18:05- CWE-156 - Improper Neutralization of Whitespace
| Vendor | Product | Version | |
|---|---|---|---|
| HashiCorp | Vault |
Affected:
0 , < 1.20.1
(semver)
|
|
| HashiCorp | Vault Enterprise |
Affected:
0 , < 1.20.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-01T18:05:29.589836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T18:05:37.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Vault",
"repo": "https://github.com/hashicorp/vault",
"vendor": "HashiCorp",
"versions": [
{
"lessThan": "1.20.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Vault Enterprise",
"repo": "https://github.com/hashicorp/vault",
"vendor": "HashiCorp",
"versions": [
{
"changes": [
{
"at": "1.19.7",
"status": "unaffected"
},
{
"at": "1.18.12",
"status": "unaffected"
},
{
"at": "1.16.23",
"status": "unaffected"
}
],
"lessThan": "1.20.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.\u003c/p\u003e\u003cbr/\u003e"
}
],
"value": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153: Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-156",
"description": "CWE-156: Improper Neutralization of Whitespace",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T17:50:09.308Z",
"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"shortName": "HashiCorp"
},
"references": [
{
"url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
}
],
"source": {
"advisory": "HCSEC-2025-17",
"discovery": "EXTERNAL"
},
"title": "Vault TOTP Secrets Engine Code Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"assignerShortName": "HashiCorp",
"cveId": "CVE-2025-6014",
"datePublished": "2025-08-01T17:50:09.308Z",
"dateReserved": "2025-06-11T19:02:59.572Z",
"dateUpdated": "2025-08-01T18:05:37.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6013 (GCVE-0-2025-6013)
Vulnerability from cvelistv5 – Published: 2025-08-06 10:06 – Updated: 2026-02-26 17:49- CWE-156 - Improper Neutralization of Whitespace
| Vendor | Product | Version | |
|---|---|---|---|
| HashiCorp | Vault |
Affected:
1.10.0 , < 1.20.2
(semver)
|
|
| HashiCorp | Vault Enterprise |
Affected:
1.10.0 , < 1.20.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-07T03:55:19.963641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:53.769Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Vault",
"repo": "https://github.com/hashicorp/vault",
"vendor": "HashiCorp",
"versions": [
{
"lessThan": "1.20.2",
"status": "affected",
"version": "1.10.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"64 bit",
"32 bit",
"x86",
"ARM",
"MacOS",
"Windows",
"Linux"
],
"product": "Vault Enterprise",
"repo": "https://github.com/hashicorp/vault",
"vendor": "HashiCorp",
"versions": [
{
"changes": [
{
"at": "1.19.8",
"status": "unaffected"
},
{
"at": "1.18.13",
"status": "unaffected"
},
{
"at": "1.16.24",
"status": "unaffected"
}
],
"lessThan": "1.20.2",
"status": "affected",
"version": "1.10.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.\u003c/p\u003e\u003cbr/\u003e"
}
],
"value": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-156",
"description": "CWE-156: Improper Neutralization of Whitespace",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T10:06:55.668Z",
"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"shortName": "HashiCorp"
},
"references": [
{
"url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
}
],
"source": {
"advisory": "HCSEC-2025-20",
"discovery": "EXTERNAL"
},
"title": "Vault LDAP MFA Enforcement Bypass When Using Username As Alias"
}
},
"cveMetadata": {
"assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
"assignerShortName": "HashiCorp",
"cveId": "CVE-2025-6013",
"datePublished": "2025-08-06T10:06:55.668Z",
"dateReserved": "2025-06-11T19:00:51.574Z",
"dateUpdated": "2026-02-26T17:49:53.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-2Q8Q-8FGW-9P6P
Vulnerability from github – Published: 2025-08-08 15:17 – Updated: 2025-08-11 13:56Impact
OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the username_as_alias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.
Patches
OpenBao v2.3.2 will patch this issue.
Workarounds
LDAP methods are only vulnerable if using username_as_alias=true. Remove all usage of this parameter and update any entity aliases accordingly.
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
- https://nvd.nist.gov/vuln/detail/CVE-2025-6013
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250807212521-c52795c1ef74"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55001"
],
"database_specific": {
"cwe_ids": [
"CWE-156"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T15:17:09Z",
"nvd_published_at": "2025-08-09T03:15:46Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nLDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6013",
"id": "GHSA-2q8q-8fgw-9p6p",
"modified": "2025-08-11T13:56:49Z",
"published": "2025-08-08T15:17:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55001"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias"
}
GHSA-7RX2-769V-HRWF
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 18:14Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6013"
],
"database_specific": {
"cwe_ids": [
"CWE-156"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-06T18:14:06Z",
"nvd_published_at": "2025-08-06T10:15:35Z",
"severity": "MODERATE"
},
"details": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.",
"id": "GHSA-7rx2-769v-hrwf",
"modified": "2025-08-06T18:14:06Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "HashiCorp Vault ldap auth method may not have correctly enforced MFA"
}
GHSA-F7C3-MHJ2-9PVG
Vulnerability from github – Published: 2025-08-08 14:42 – Updated: 2025-08-11 13:56Impact
OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.
Patches
OpenBao v2.3.2 will patch this issue.
In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.
Workarounds
TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.
References
This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:
- https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
- https://nvd.nist.gov/vuln/detail/CVE-2025-6014
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20250806193153-183891f8d535"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55000"
],
"database_specific": {
"cwe_ids": [
"CWE-156"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T14:42:49Z",
"nvd_published_at": "2025-08-09T03:15:46Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOpenBao\u0027s TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\nIn patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.\n\n### Workarounds\n\nTOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6014",
"id": "GHSA-f7c3-mhj2-9pvg",
"modified": "2025-08-11T13:56:44Z",
"published": "2025-08-08T14:42:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55000"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenBao TOTP Secrets Engine Code Reuse"
}
GHSA-QV3P-FMV3-9HWW
Vulnerability from github – Published: 2025-08-01 18:31 – Updated: 2025-08-01 21:08Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/vault"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.20.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6014"
],
"database_specific": {
"cwe_ids": [
"CWE-156"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-01T21:08:57Z",
"nvd_published_at": "2025-08-01T18:15:56Z",
"severity": "MODERATE"
},
"details": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
"id": "GHSA-qv3p-fmv3-9hww",
"modified": "2025-08-01T21:08:57Z",
"published": "2025-08-01T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/vault"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hashicorp Vault\u0027s TOTP Secrets Engine Susceptible to Code Reuse "
}
GHSA-R3JX-6XF2-CCH5
Vulnerability from github – Published: 2025-11-20 21:30 – Updated: 2025-11-21 00:30HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.
{
"affected": [],
"aliases": [
"CVE-2025-55127"
],
"database_specific": {
"cwe_ids": [
"CWE-156"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-20T19:16:19Z",
"severity": "MODERATE"
},
"details": "HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.",
"id": "GHSA-r3jx-6xf2-cch5",
"modified": "2025-11-21T00:30:21Z",
"published": "2025-11-20T21:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55127"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3413764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Strategy: Output Encoding
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.