PT-2025-32384 · Openbao+1 · Openbao+1

Cipherboy

Published

2025-08-08

Updated

2025-09-12

CVE-2025-55003

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenBao versions 2.3.1 and below

Description OpenBao’s Login Multi-Factor Authentication (MFA) system, utilizing Time-based One Time Password (TOTP), accepted codes containing whitespace due to normalization applied by the underlying TOTP library. This bypassed internal rate limiting, allowing reuse of existing MFA codes.

Recommendations Upgrade to version 2.3.2 to resolve this issue. Utilize rate-limiting quotas to limit potential exploitation.

Exploit

Fix

Improper Restriction of Excessive Authentication Attempts

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307

Related Identifiers

BDU:2025-11278

CVE-2025-55003

GHSA-RXP7-9Q75-VJ3P

GO-2025-3856

OPENSUSE-SU-2025:15434-1

OPENSUSE-SU-2025:15460-1

SUSE-SU-2025:02912-1

Affected Products

Openbao

Red Os

PT-2025-32384 · Openbao+1 · Openbao+1

CVE-2025-55003

Weakness Enumeration

Related Identifiers

Affected Products

References · 52