CVE-2025-54999

Name of the Vulnerable Software and Affected Versions OpenBao versions 0.1.0 through 2.3.1

Description OpenBao is a software solution designed for managing, storing, and distributing sensitive data, including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, user enumeration was possible when using the userpass authentication method due to timing differences between non-existent users and users with stored credentials. This issue occurred regardless of the validity of the supplied credentials.

Recommendations OpenBao version 2.3.2 and later resolves this issue. As a workaround, use an alternative authentication method. Apply rate limiting quotas to limit the number of requests within a specific timeframe.