CVE-2025-54999: OpenBao has a Timing Side-Channel in the Userpass Auth Method
(updated )
When using OpenBao’s userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user.
References
- discuss.hashicorp.com/t/hcsec-2025-15-timing-side-channel-in-vault-s-userpass-auth-method/76034
- discuss.hashicorp.com/t/hcsec-2025-21-vault-user-enumeration-in-userpass-auth-method/76095
- github.com/advisories/GHSA-hh28-h22f-8357
- github.com/openbao/openbao
- github.com/openbao/openbao/commit/4d9b5d3d6486ab9fbd5b644173fa0097015d6626
- github.com/openbao/openbao/security/advisories/GHSA-hh28-h22f-8357
- nvd.nist.gov/vuln/detail/CVE-2025-54999
- nvd.nist.gov/vuln/detail/CVE-2025-6011
Code Behaviors & Features
Detect and mitigate CVE-2025-54999 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →