Multi-Factor Authentication Bypass in OpenBao Software
CVE-2025-55003

5.7MEDIUM

Key Information:

Vendor

Openbao

Status
Openbao
Vendor
CVE Published:
9 August 2025

What is CVE-2025-55003?

A significant vulnerability in OpenBao's Login Multi-Factor Authentication (MFA) system allows attackers to bypass internal rate limiting mechanisms. This vulnerability arises from the normalization process applied by the underlying Time-based One-Time Password (TOTP) library, which accepts codes containing whitespace. This flaw enables attackers to reuse existing MFA codes, increasing the risk of unauthorized access. The issue has been addressed in OpenBao version 2.3.2. To mitigate potential exploitation of this vulnerability, it is recommended to implement rate-limiting quotas.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openbao < 2.3.2

References

https://github.com/openbao/openbao/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openbao/openbao/commit/8340a6918f6c41d...
x_refsource_MISC
https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login...
x_refsource_MISC

CVSS V3.1

Score:
5.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.