CVE-2025-55000 MEDIUM

CVE-2025-55000: OpenBao TOTP Secrets Engine Enables Code Reuse

Vendor Openbao
Product openbao
Weakness CWE-156
Published August 9, 2025
Last update August 11, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

Key dates

02Disclosure timeline

August 9, 2025 CVE published
August 11, 2025 Record updated