CVE-2025-54997
Published: 09 August 2025
Summary
CVE-2025-54997 is a critical-severity Code Injection (CWE-94) vulnerability in Openbao Openbao. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation through patching OpenBao to version 2.3.2 or later, directly eliminating the audit log prefix manipulation vulnerability.
Enforces least privilege by restricting privileged API operators' access to sys/audit/* endpoints via explicit deny policies, implementing the recommended workaround and preventing bypass exploitation.
Validates inputs such as audit log prefixes to block code injection (CWE-94), preventing unauthorized code execution and network access through the audit subsystem.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote code injection flaw (CWE-94) in a network-exposed API that directly enables arbitrary code execution on the host (T1059) by exploiting a public-facing application (T1190).
NVD Description
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections.…
more
However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way.
Deeper analysisAI
CVE-2025-54997 is a code injection vulnerability (CWE-94) affecting OpenBao, an open-source tool for managing, storing, and distributing sensitive data such as secrets, certificates, and keys. In versions 2.3.1 and prior, certain deployments intentionally restrict privileged API operators from executing system code or initiating network connections. However, these operators can bypass both restrictions by manipulating log prefixes through the audit subsystem, enabling unauthorized code execution on the host and network access that violates the intended security model. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Privileged API operators with high privileges (PR:H) can exploit this issue remotely over the network with low complexity and no user interaction. Successful exploitation allows attackers to execute arbitrary code on the underlying host and make unauthorized network connections, achieving high confidentiality, integrity, and availability impacts while changing the scope (S:C) to potentially affect the broader system.
The vulnerability is fixed in OpenBao version 2.3.2. As a workaround, administrators can block access to sys/audit/* endpoints using explicit deny policies, though this does not restrict root operators. Official advisories and release notes detail the patch via a GitHub pull request, with further discussion in HashiCorp and OpenBao security forums.
Details
- CWE(s)