CVE-2025-55000

OpenBao TOTP Secrets Engine Enables Code Reuse

CVSS 6.5 MEDIUMEPSS 0.2%CWE-156

In short

OpenBao's TOTP secrets engine accepts the same authentication code multiple times instead of just once, allowing someone who obtains a valid code to reuse it for unauthorized access. This weakens the security of time-based one-time passwords, which are meant to be single-use.

Technical detail

The TOTP secrets engine in OpenBao 0.1.0-2.3.1 fails to enforce strict single-use validation of time-based one-time passwords due to unexpected normalization behavior in the underlying TOTP library, enabling code reuse attacks. An attacker with access to a valid TOTP code can replay it multiple times against the privileged verification endpoint. Mitigation requires normalizing all codes before submission to the OpenBao endpoint.

Summary generated and translated by AI from the official description.

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products

openbao · openbao

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036 https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1 https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg