CVE-2025-62513

Name of the Vulnerable Software and Affected Versions OpenBao versions 2.2.0 through 2.4.1

Description OpenBao, an open source identity-based secrets management system, experienced a regression in its audit log functionality. Raw HTTP bodies from certain endpoints were not properly redacted, leading to potential information disclosure. Specifically, when using the ACME functionality of PKI, short-lived ACME verification challenge codes were leaked in the audit logs. Additionally, when using the OIDC issuer functionality, authentication and token response codes, along with claims, could be exposed in the audit logs. The leaked ACME verification codes have limited long-term usability as they expire after verification or challenge completion. Third-party plugins may also be affected. The issue involves the improper handling of HTTP bodies and impacts the redaction process (HMAC'd) within the audit log.

Recommendations Upgrade to OpenBao version 2.4.2 to address this issue. If you do not use the ACME or OIDC issuer functionality, you are not impacted.