CVE-2025-54998

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions OpenBao versions 0.1.0 through 2.3.1

Description Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP authentication systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions.

Recommendations Update to version 2.3.2 to resolve this issue. Apply rate-limiting quotas on the authentication endpoints.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

BDU:2025-11281

CVE-2025-54998

GHSA-J3XV-7FXP-GFHX

GO-2025-3855

OPENSUSE-SU-2025:15434-1

SUSE-SU-2025:02912-1

Affected Products

Openbao

Red Os

CVE-2025-54998

Weakness Enumeration

Related Identifiers

Affected Products

References · 51