6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-55000

GHSA ID

GHSA-f7c3-mhj2-9pvg

EPSS Score

CWE

CWE-156

Published

8/8/2025

Updated

8/8/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55000

CVE-2025-55000: OpenBao TOTP Secrets Engine Code Reuse

Impact

OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.

Patches

OpenBao v2.3.2 will patch this issue.

In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.

Workarounds

TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
https://nvd.nist.gov/vuln/detail/CVE-2025-6014

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-55000

GHSA ID

GHSA-f7c3-mhj2-9pvg

EPSS Score

CWE

CWE-156

Published

8/8/2025

Updated

8/8/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openbao/openbao	go	>= 0.1.0, < 2.3.2	2.3.2
github.com/openbao/openbao	go	< 0.0.0-20250806193153-183891f8d535	0.0.0-20250806193153-183891f8d535

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security advisory and the associated commit 183891f8d535d5b6eb3d79fda8200cade6de99e1 clearly indicates that the vulnerability is located in the TOTP code validation path. The commit message explicitly states that the underlying TOTP library transparently removes whitespace, while OpenBao's own code reuse cache did not. This created a loophole where codes with whitespace could bypass the replay attack prevention.

The patch addresses this by adding a strict validation check in the backend.pathValidateCode function within builtin/logical/totp/path_code.go. The new code, strings.TrimSpace(code) != code, ensures that any submitted code containing leading or trailing whitespace is rejected before it can be processed by the TOTP library or checked against the used-code cache. This change effectively closes the reuse vulnerability. Therefore, the backend.pathValidateCode function is the precise location of the vulnerability and the function that would appear in a runtime profile during exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Op*n**o's TOTP s**r*ts *n*in* *oul* ****pt v*li* *o**s multipl* tim*s r*t**r t**n stri*tly-on**. T*is w*s **us** *y un*xp**t** norm*liz*tion in t** un**rlyin* TOTP li*r*ry. ### P*t***s Op*n**o v*.*.* will p*t** t*is issu*. In p*t**in*,

Reasoning

T** *n*lysis o* t** s**urity **visory *n* t** *sso*i*t** *ommit `****************************************` *l**rly in*i**t*s t**t t** vuln*r**ility is lo**t** in t** TOTP *o** v*li**tion p*t*. T** *ommit m*ss*** *xpli*itly st*t*s t**t t** un**rlyin*

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-55000: OpenBao TOTP Secrets Engine Code Reuse

Impact

Patches

Workarounds

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI