CVE-2025-52893

25.06.2025, 17:15

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
GitHub_M	CNA	4.5 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Vendor	Product	Version
openbao	openbao	𝑥 < 2.3.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

golang-github-go-viper-mapstructure

plucky	needs-triage
oracular	dne
noble	dne
jammy	dne

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717

https://github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766a

https://github.com/go-viper/mapstructure/pull/105

https://github.com/go-viper/mapstructure/releases/tag/v2.3.0

https://github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30

https://github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmq