{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T23:01:37.087","vulnerabilities":[{"cve":{"id":"CVE-2025-55003","sourceIdentifier":"security-advisories@github.com","published":"2025-08-09T03:15:47.030","lastModified":"2025-08-12T20:39:40.253","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/."},{"lang":"es","value":"OpenBao existe para proporcionar una solución de software que permite gestionar, almacenar y distribuir datos confidenciales, como secretos, certificados y claves. En las versiones 2.3.1 y anteriores, el sistema de autenticación multifactor (MFA) de inicio de sesión de OpenBao permite aplicar la MFA mediante contraseñas de un solo uso basadas en tiempo (TOTP). Gracias a la normalización aplicada por la librería TOTP subyacente, se aceptaron códigos que podían contener espacios en blanco. Estos espacios en blanco podían eludir la limitación de velocidad interna del método de MFA y permitir la reutilización de códigos de MFA existentes. Este problema se solucionó en la versión 2.3.2. Para solucionarlo, el uso de cuotas de limitación de velocidad puede limitar la capacidad de un atacante para explotar esta vulnerabilidad: https://openbao.org/api-docs/system/rate-limit-quotas/."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-307"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.2","matchCriteriaId":"5572B591-02AC-4B8F-8956-FC9A606D7F32"}]}]}],"references":[{"url":"https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}