CVE-2025-54997: Privileged OpenBao Operator May Execute Code on the Underlying Host
(updated )
Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the ability to update binaries or execute code on the system. Additionally, privileged API operators should be unable to perform TCP connections to arbitrary hosts in the environment OpenBao is executing within. The API-driven audit subsystem granted privileged API operators the ability to do both with an attacker-controlled log prefix. Access to these endpoints should be restricted.
References
- discuss.hashicorp.com/t/hcsec-2025-14-privileged-vault-operator-may-execute-code-on-the-underlying-host/76033
- github.com/advisories/GHSA-xp75-r577-cvhp
- github.com/openbao/openbao
- github.com/openbao/openbao/commit/a14053c9679d6e9cf370f00cf933476cda6d84a2
- github.com/openbao/openbao/pull/1634
- github.com/openbao/openbao/releases/tag/v2.3.2
- github.com/openbao/openbao/security/advisories/GHSA-xp75-r577-cvhp
- nvd.nist.gov/vuln/detail/CVE-2025-54997
- nvd.nist.gov/vuln/detail/CVE-2025-6000
Code Behaviors & Features
Detect and mitigate CVE-2025-54997 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →