OpenBao May Leak Sensitive Information in Logs When Processing Malformed Data
Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbao/sdk/v2Go | < 2.3.0 | 2.3.0 |
Affected products
1Patches
2cf5e920badbfAdd changelog entry for sdk/framework vulnerability (#1495)
1 file changed · +3 −0
changelog/1495.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. +```
ed3f92181528feat: remove value from error messages
2 files changed · +7 −8
errors.go+2 −3 modified@@ -53,7 +53,7 @@ type ParseError struct { } func (e *ParseError) Error() string { - return fmt.Sprintf("cannot parse '%s' as '%s': %s", e.Value, e.Expected.Type(), e.Err) + return fmt.Sprintf("cannot parse value as '%s': %s", e.Expected.Type(), e.Err) } func (*ParseError) mapstructure() {} @@ -67,10 +67,9 @@ type UnconvertibleTypeError struct { func (e *UnconvertibleTypeError) Error() string { return fmt.Sprintf( - "expected type '%s', got unconvertible type '%s', value: '%v'", + "expected type '%s', got unconvertible type '%s'", e.Expected.Type(), reflect.TypeOf(e.Value), - e.Value, ) }
mapstructure_examples_test.go+5 −5 modified@@ -65,11 +65,11 @@ func ExampleDecode_errors() { // Output: // decoding failed due to the following error(s): // - // 'Name' expected type 'string', got unconvertible type 'int', value: '123' - // 'Age' expected type 'int', got unconvertible type 'string', value: 'bad value' - // 'Emails[0]' expected type 'string', got unconvertible type 'int', value: '1' - // 'Emails[1]' expected type 'string', got unconvertible type 'int', value: '2' - // 'Emails[2]' expected type 'string', got unconvertible type 'int', value: '3' + // 'Name' expected type 'string', got unconvertible type 'int' + // 'Age' expected type 'int', got unconvertible type 'string' + // 'Emails[0]' expected type 'string', got unconvertible type 'int' + // 'Emails[1]' expected type 'string', got unconvertible type 'int' + // 'Emails[2]' expected type 'string', got unconvertible type 'int' } func ExampleDecode_metadata() {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-8f5r-8cmq-7fmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-52893ghsaADVISORY
- github.com/openbao/openbao/sdk/v2/frameworkghsaPACKAGE
- discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717ghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/commit/ed3f92181528ff776a0324107b8b55026e93766aghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/pull/105ghsax_refsource_MISCWEB
- github.com/go-viper/mapstructure/releases/tag/v2.3.0ghsax_refsource_MISCWEB
- github.com/openbao/openbao/commit/cf5e920badbf96b41253534a3fd5ff5063bf4b30ghsax_refsource_MISCWEB
- github.com/openbao/openbao/security/advisories/GHSA-8f5r-8cmq-7fmqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.