Fluid Attacks Database

Description

OpenBao TOTP Secrets Engine Code Reuse

Impact

OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.

Patches

OpenBao v2.3.2 will patch this issue.

In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.

Workarounds

TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036

https://nvd.nist.gov/vuln/detail/CVE-2025-6014

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/openbao/openbao	>=0.1.0 <2.3.2 \|\| >=0 <0.0.0-20250806193153-183891f8d535	2.3.2, 0.0.0-20250806193153-183891f8d535

Aliases

1. CVE-2025-550002. NVD-2025-550003. NVD-2025-60144. OSV-2025-550005. GHSA-f7c3-mhj2-9pvg6. GCVE-2025-55000

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg2. https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e13. https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036