CVE-2025-54997 Information

Aug 10, 2025 cve

Description

OpenBao exists to provide a software solution to manage store and distribute sensitive data including secrets certificates and keys. In versions 2.3.1 and below some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround users can block access to sys/audit/ endpoints using explicit deny policies but root operators cannot be restricted this way.

Reference

https://discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033 https://github.com/openbao/openbao/pull/1634 https://github.com/openbao/openbao/releases/tag/v2.3.2 https://github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp

CNNVD-202508-807 (Published: 2025-08-09)

Share on:

CVE-2025-54997 Information

Description

Reference

Related CNNVD