GHSA-PRPJ-RCHP-9J5H

Vulnerability from github – Published: 2025-06-26 21:29 – Updated: 2025-08-12 20:30
VLAI?
Summary
OpenBao allows cancellation of root rekey and recovery rekey operations without authentication
Details

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.3.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250625150133-fe75468822a2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-26T21:29:05Z",
    "nvd_published_at": "2025-06-25T17:15:39Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.\n\n### Patches\n\nIn OpenBao v2.2.2 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners.\n\nIn a future OpenBao release [communicated on our website](https://openbao.org/docs/deprecation/), we will set this to `true` for all users and provide an authenticated alternative.\n\nThis vulnerability has been disclosed to HashiCorp; see their website for more information. \n\n### Workarounds\n\nIf an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.\n\n### References\n\nSee the [deprecation notice](https://openbao.org/docs/deprecation/unauthed-rekey/).",
  "id": "GHSA-prpj-rchp-9j5h",
  "modified": "2025-08-12T20:30:31Z",
  "published": "2025-06-26T21:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/releases/tag/v2.3.1"
    },
    {
      "type": "WEB",
      "url": "https://openbao.org/docs/deprecation"
    },
    {
      "type": "WEB",
      "url": "https://openbao.org/docs/deprecation/unauthed-rekey"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3783"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenBao allows cancellation of root rekey and recovery rekey operations without authentication"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.