Multi-Factor Authentication Bypass in OpenBao Software
CVE-2025-55003

5.7MEDIUM

Key Information:

Vendor: Openbao
Status: Openbao
Vendor: CVE Published:; 9 August 2025

What is CVE-2025-55003?

A significant vulnerability in OpenBao's Login Multi-Factor Authentication (MFA) system allows attackers to bypass internal rate limiting mechanisms. This vulnerability arises from the normalization process applied by the underlying Time-based One-Time Password (TOTP) library, which accepts codes containing whitespace. This flaw enables attackers to reuse existing MFA codes, increasing the risk of unauthorized access. The issue has been addressed in OpenBao version 2.3.2. To mitigate potential exploitation of this vulnerability, it is recommended to implement rate-limiting quotas.

Affected Version(s)

openbao < 2.3.2

References

https://github.com/openbao/openbao/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openbao/openbao/commit/8340a6918f6c41d...

x_refsource_MISC

https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login...

x_refsource_MISC

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2025
Vulnerability Reserved
Aug 4, 2025

Openbao

What is CVE-2025-55003?

Affected Version(s)

References

CVSS V3.1

Timeline