{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T03:22:26.154","vulnerabilities":[{"cve":{"id":"CVE-2025-55000","sourceIdentifier":"security-advisories@github.com","published":"2025-08-09T03:15:46.737","lastModified":"2025-11-13T17:55:51.443","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."},{"lang":"es","value":"OpenBao existe para proporcionar una solución de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 0.1.0 a 2.3.1, el motor de secretos TOTP de OpenBao podía aceptar códigos válidos varias veces en lugar de solo una. Esto se debía a una normalización inesperada en la librería TOTP subyacente. Para solucionar este problema, asegúrese de que todos los códigos se normalicen antes de enviarlos al endpoint de OpenBao. La verificación de códigos TOTP es una acción privilegiada; solo los sistemas de confianza deben verificar los códigos."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-156"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.2","matchCriteriaId":"5572B591-02AC-4B8F-8956-FC9A606D7F32"}]}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}