CVE-2025-52893 MEDIUM

CVE-2025-52893: OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data

Vendor Openbao
Product openbao
Weakness CWE-532 · Sensitive info in logs
Published June 25, 2025
Last update June 25, 2025

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Key dates

02Disclosure timeline

June 25, 2025 CVE published
June 25, 2025 Record updated