CVE-2025-55003: OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
(updated )
OpenBao’s Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes.
References
- discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038
- github.com/advisories/GHSA-rxp7-9q75-vj3p
- github.com/openbao/openbao
- github.com/openbao/openbao/commit/8340a6918f6c41d8f75b6c3845c376d9dc32ed19
- github.com/openbao/openbao/security/advisories/GHSA-rxp7-9q75-vj3p
- nvd.nist.gov/vuln/detail/CVE-2025-55003
- nvd.nist.gov/vuln/detail/CVE-2025-6015
Code Behaviors & Features
Detect and mitigate CVE-2025-55003 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →