Fluid Attacks Database

Description

OpenBao Userpass and LDAP User Lockout Bypass

Impact

Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

Existing users may apply rate-limiting quotas on the authentication endpoints: https://openbao.org/api-docs/system/rate-limit-quotas/

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035

https://nvd.nist.gov/vuln/detail/CVE-2025-6004

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/openbao/openbao	>=0.1.0 <2.3.2 \|\| >=0 <0.0.0-20250807212521-c52795c1ef74	2.3.2, 0.0.0-20250807212521-c52795c1ef74

Aliases

1. CVE-2025-549982. NVD-2025-549983. NVD-2025-60044. OSV-2025-549985. GHSA-j3xv-7fxp-gfhx6. GCVE-2025-54998

References

1. https://github.com/openbao/openbao/security/advisories/GHSA-j3xv-7fxp-gfhx2. https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc3. https://discuss.hashicorp.com/t/hcsec-2025-16-vault-userpass-and-ldap-user-lockout-bypass/76035