VDB

CVE-2025-55000

CVE-2025-55000 PUBLISHED CVSS 6.5 MEDIUM

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

EPSS 0.15% · 35.3th percentile

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.15%
35.3th percentile

Affected Products

VendorProductVersions
github.comopenbao/openbao0.1.0, 0
openbaoopenbao0, *

Timeline

  • Jan 21, 1970 Security Advisory
  • Aug 8, 2025 CVE Published
  • Aug 9, 2025 EPSS Score
  • Aug 9, 2025 Coalition ESS Score
  • Aug 11, 2025 CVE Updated
  • Aug 11, 2025 Coalition ESS Score
  • Aug 12, 2025 Coalition ESS Score
  • Aug 17, 2025 EPSS Score
  • Aug 22, 2025 Coalition ESS Score
  • Aug 26, 2025 EPSS Score
  • Aug 26, 2025 Coalition ESS Score
  • Sep 3, 2025 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›