4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52893

CVE-2025-52893: OpenBao Inserts Sensitive Information into Log File when processing malformed data

Impact

OpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166.

Patches

This issue has been fixed in OpenBao v2.3.0 and later.

Workarounds

Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Remediation

Users with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching:

Audit Log

... "error":"error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" ...

Server Log

error converting input for field "password": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'

If any matches are found, rotating the affected secret is advised.

References

See also: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717

See also: https://github.com/go-viper/mapstructure/releases/tag/v2.3.0

See also: https://github.com/go-viper/mapstructure/pull/105 -> https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-52893

CVE-2025-52893:

4.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openbao/openbao/sdk/v2/framework	go	< 2.3.0	2.3.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a case of sensitive information being inserted into log files. The root cause is not within the OpenBao codebase itself, but in a third-party dependency, github.com/go-viper/mapstructure. This library is used to decode configuration or request data into Go structs.

The analysis of the provided patch commit ed3f92181528ff776a0324107b8b55026e93766a reveals that the error message generation functions within mapstructure were modified to remove the actual data value from the error strings.

Specifically, the Error() methods for UnconvertibleTypeError and ParseError structs were changed to no longer include the e.Value field in the formatted error string. The log message provided in the vulnerability description (error converting input for field "password": ... value: '<sensitive data>') directly corresponds to the output of the old (*UnconvertibleTypeError).Error function.

When an application like OpenBao receives a request with malformed data for a sensitive field (e.g., a JSON object for a password that should be a string), it uses mapstructure to process this data. mapstructure would fail and generate a detailed error message containing the malformed, sensitive data. This error would then be caught and logged by OpenBao, leading to the information leak. The identified functions are the precise source of the error messages that contain the sensitive data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-52893: OpenBao Inserts Sensitive Information into Log File when processing malformed data

Impact

Patches

Workarounds

Remediation

References

CVE-2025-52893:

4.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.5

4.5

CVE-2025-52893: OpenBao Inserts Sensitive Information into Log File when processing malformed data

Impact

Patches

Workarounds

Remediation

References

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI