CVE-2025-62705 MEDIUM

CVE-2025-62705: OpenBao and Vault Leak []byte Fields in Audit Logs

Vendor Openbao
Product openbao
Weakness CWE-532 · Sensitive info in logs
Published October 22, 2025
Last update October 23, 2025

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.2, OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log, and Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log. This issue has been patched in OpenBao 2.4.2.

Key dates

02Disclosure timeline

October 22, 2025 CVE published
October 23, 2025 Record updated