Description

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/.

INFO

Published Date :

2025-08-09T02:00:27.597Z

Last Modified :

2025-08-11T14:38:33.591Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54998 vulnerability.

Vendors Products
Openbao Project
  • Openbao
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54998.

URL Resource
https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035 cve-icon cve-icon
https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc cve-icon cve-icon
https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact