CVE-2025-54998 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-54998 PUBLISHED CVSS 5.300000190734863 MEDIUM

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.

EPSS 0.04% · 13.2th percentile

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

0.04%

13.2th percentile

Affected Products

Vendor	Product	Versions
openbao	openbao	>= 0.1.0, < 2.3.2, 0
github.com	openbao/openbao	0.1.0, 0

Timeline

Jan 21, 1970 Security Advisory
Aug 8, 2025 CVE Published
Aug 9, 2025 EPSS Score
Aug 9, 2025 Coalition ESS Score
Aug 11, 2025 CVE Updated
Aug 11, 2025 Coalition ESS Score
Aug 12, 2025 Coalition ESS Score
Aug 17, 2025 EPSS Score
Aug 22, 2025 Coalition ESS Score
Aug 25, 2025 EPSS Score
Aug 26, 2025 Coalition ESS Score
Sep 2, 2025 EPSS Score

References

Open in Interactive Console →