Moderate severityNVD Advisory· Published Aug 9, 2025· Updated Aug 11, 2025
OpenBao TOTP Secrets Engine Enables Code Reuse
CVE-2025-55000
Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openbao/openbaoGo | >= 0.1.0, < 2.3.2 | 2.3.2 |
github.com/openbao/openbaoGo | < 0.0.0-20250806193153-183891f8d535 | 0.0.0-20250806193153-183891f8d535 |
Affected products
1Patches
1183891f8d535Fix TOTP engine verification reuse bypass (#1625)
4 files changed · +32 −7
builtin/logical/totp/backend_test.go+13 −2 modified@@ -330,7 +330,11 @@ func TestBackend_keyCrudDefaultValues(t *testing.T) { } code, _ := generateCode(key, 30, otplib.DigitsSix, otplib.AlgorithmSHA1) - invalidCode := "12345678" + invalidCode := "1234567890" + sameLengthInvalidCode := invalidCode[0:len(code)] + if sameLengthInvalidCode == code { + sameLengthInvalidCode = invalidCode[1 : len(code)+1] + } logicaltest.Test(t, logicaltest.TestCase{ LogicalBackend: b, @@ -340,7 +344,14 @@ func TestBackend_keyCrudDefaultValues(t *testing.T) { testAccStepValidateCode(t, "test", code, true, false), // Next step should fail because it should be in the used cache testAccStepValidateCode(t, "test", code, false, true), - testAccStepValidateCode(t, "test", invalidCode, false, false), + // Next step should fail because it is of invalid length and thus + // won't hit the used cache; this was part of HCSEC-2025-17 + // (CVE-2025-6014). + testAccStepValidateCode(t, "test", code+" ", false, true), + // Next step should fail because it is of invalid length as well. + testAccStepValidateCode(t, "test", invalidCode, false, true), + // This will be an invalid code of the correct length. + testAccStepValidateCode(t, "test", sameLengthInvalidCode, false, false), testAccStepDeleteKey(t, "test"), testAccStepReadKey(t, "test", nil), },
builtin/logical/totp/path_code.go+9 −5 modified@@ -6,6 +6,7 @@ package totp import ( "context" "fmt" + "strings" "time" "github.com/openbao/openbao/sdk/v2/framework" @@ -88,11 +89,6 @@ func (b *backend) pathValidateCode(ctx context.Context, req *logical.Request, da name := data.Get("name").(string) code := data.Get("code").(string) - // Enforce input value requirements - if code == "" { - return logical.ErrorResponse("the code value is required"), nil - } - // Get the key's stored values key, err := b.Key(ctx, req.Storage, name) if err != nil { @@ -102,6 +98,14 @@ func (b *backend) pathValidateCode(ctx context.Context, req *logical.Request, da return logical.ErrorResponse(fmt.Sprintf("unknown key: %s", name)), nil } + // Enforce input value requirements + if code == "" { + return logical.ErrorResponse("the code value is required"), nil + } + if strings.TrimSpace(code) != code || len(code) != key.Digits.Length() { + return logical.ErrorResponse("invalid number of digits for the code"), nil + } + usedName := fmt.Sprintf("%s_%s", name, code) _, ok := b.usedCodes.Get(usedName)
changelog/1625.txt+3 −0 added@@ -0,0 +1,3 @@ +```release-note:security +secrets/totp: Fix TOTP verification reuse bypass when the TOTP code contains spaces. HCSEC-2025-17 / CVE-2025-6014. +```
website/content/api-docs/secret/totp.mdx+7 −0 modified@@ -247,6 +247,13 @@ key. - `code` `(string: <required>)` – Specifies the password you want to validate. +:::info + +As of OpenBao v2.3.2, this endpoint will error if the code is not given +verbatim; whitespace is no longer allowed. + +::: + ### Sample payload ```json
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-f7c3-mhj2-9pvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55000ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6014ghsaADVISORY
- discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036ghsax_refsource_MISCWEB
- github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1ghsax_refsource_MISCWEB
- github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.