Moderate severityNVD Advisory· Published Jun 25, 2025· Updated Jun 25, 2025
OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data
CVE-2025-52893
Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbao/sdk/v2Go | < 2.3.0 | 2.3.0 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/openbao/openbao/sdk/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweed
< 2.3.0+ 2 more
- (no CPE)range: < 2.3.0
- (no CPE)range: < 0.0.20250730T213748-1.1
- (no CPE)range: < 2.3.1-1.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-8f5r-8cmq-7fmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-52893ghsaADVISORY
- github.com/openbao/openbao/sdk/v2/frameworkghsaPACKAGE
- discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717ghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766aghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/pull/105ghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/releases/tag/v2.3.0ghsax_refsource_MISCWEB
- github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30ghsax_refsource_MISCWEB
- github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.