logo

Database

User enumeration In github.com/openbao/openbao

Description

OpenBao has a Timing Side-Channel in the Userpass Auth Method

Impact

When using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

Barring further information, this is also assumed to cover and remediate the following additional vulnerability:

If this is not the case as further details emerge, a new CVE will be assigned for remediating that. Otherwise, no further CVE will be sought.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-549992. NVD-2025-549993. NVD-2025-60114. OSV-2025-549995. GHSA-hh28-h22f-83576. GCVE-2025-54999

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-83572. https://github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d66263. https://discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/760344. https://discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.