CVE-2025-55000

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenBao versions 0.1.0 through 2.3.1

Description OpenBao’s TOTP secrets engine could accept valid Time-based One-Time Password (TOTP) codes multiple times instead of strictly once. This issue stemmed from unexpected normalization within the underlying TOTP library. TOTP code verification is a privileged action and should only be performed by trusted systems.

Recommendations Versions prior to 2.3.2 are affected. Ensure all codes are normalized before submitting to the OpenBao endpoint.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-156

Related Identifiers

BDU:2025-11280

CVE-2025-55000

GHSA-F7C3-MHJ2-9PVG

GO-2025-3853

OPENSUSE-SU-2025:15434-1

OPENSUSE-SU-2025:15460-1

SUSE-SU-2025:02912-1

Affected Products

Openbao

Red Os

CVE-2025-55000

Weakness Enumeration

Related Identifiers

Affected Products

References · 52