CVE-2025-62705

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.4.2

Description The audit log in OpenBao did not properly redact sensitive fields when subsystems sent byte arrays instead of strings as response parameters. This affected functionalities such as sys/raw with base64 encoding, where all data was written unredacted to the audit log. Additionally, when using Transit for Ed25519 key signing operations, public keys were exposed in the audit log. Third-party plugins may also be affected. The issue impacts versions of HashiCorp Vault as of v1.20.4. The vulnerable parameters include []byte response parameters and derived Ed25519 public keys. The affected API endpoint is /sys/raw.

Recommendations Update to OpenBao version 2.4.2 to address this issue. To prevent the use of the /sys/raw endpoint, ensure raw storage endpoint=false is set or missing from the server configuration.