Miggo Logo
Miggo Vulnerability Database
CVE-2025-52893

CVE-2025-52893:
OpenBao Inserts Sensitive Information into Log File when processing malformed data

4.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-52893
GHSA ID
GHSA-8f5r-8cmq-7fmq
EPSS Score
0.0364%
CWE
CWE-532
Published
6/26/2025
Updated
6/26/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/openbao/openbao/sdk/v2/frameworkgo< 2.3.02.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a case of sensitive information being inserted into log files. The root cause is not within the OpenBao codebase itself, but in a third-party dependency, github.com/go-viper/mapstructure. This library is used to decode configuration or request data into Go structs.

The analysis of the provided patch commit ed3f92181528ff776a0324107b8b55026e93766a reveals that the error message generation functions within mapstructure were modified to remove the actual data value from the error strings.

Specifically, the Error() methods for UnconvertibleTypeError and ParseError structs were changed to no longer include the e.Value field in the formatted error string. The log message provided in the vulnerability description (error converting input for field "password": ... value: '<sensitive data>') directly corresponds to the output of the old (*UnconvertibleTypeError).Error function.

When an application like OpenBao receives a request with malformed data for a sensitive field (e.g., a JSON object for a password that should be a string), it uses mapstructure to process this data. mapstructure would fail and generate a detailed error message containing the malformed, sensitive data. This error would then be caught and logged by OpenBao, leading to the information leak. The identified functions are the precise source of the error messages that contain the sensitive data.

Vulnerable functions

github.com/go-viper/mapstructure.(*UnconvertibleTypeError).Error
errors.go
The vulnerable version of this function included the raw value that failed to be converted in the error message. When this function was called with sensitive data (e.g., a password field containing a complex object instead of a string), the sensitive data was included in the returned error string, which was then written to log files by the calling application (OpenBao/Vault).
github.com/go-viper/mapstructure.(*ParseError).Error
errors.go
Similar to `(*UnconvertibleTypeError).Error`, this function also included the raw value that failed to parse in the error message it generated. This could lead to the logging of sensitive information if the value being parsed was sensitive.

WAF Protection Rules

WAF Rule

### Imp**t Op*n**o ***or* v*.*.* *n* **s*i*orp V*ult *s o* t** *urr*nt v*.**.* m*y l**k s*nsitiv* in*orm*tion in lo*s w**n pro**ssin* m*l*orm** **t*. T*is is s*p*r*t* *rom t** **rli*r **S**-****-** / *V*-****-****. ### P*t***s T*is issu* **s ***n

Reasoning

T** vuln*r**ility is * **s* o* s*nsitiv* in*orm*tion **in* ins*rt** into lo* *il*s. T** root **us* is not wit*in t** Op*n**o *o****s* its*l*, *ut in * t*ir*-p*rty **p*n**n*y, `*it*u*.*om/*o-vip*r/m*pstru*tur*`. T*is li*r*ry is us** to ***o** *on*i*ur