Common Weakness Enumeration

CWE-156

Allowed

Improper Neutralization of Whitespace

Abstraction: Variant · Status: Draft

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component.

9 vulnerabilities reference this CWE, most recent first.

CVE-2025-55001 (GCVE-0-2025-55001)

Vulnerability from cvelistv5 – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:45
VLAI
Title
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
Summary
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-156 - Improper Neutralization of Whitespace
Assigner
Impacted products
Vendor Product Version
openbao openbao Affected: < 2.3.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T14:45:22.660667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T14:45:37.326Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openbao",
          "vendor": "openbao",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-156",
              "description": "CWE-156: Improper Neutralization of Whitespace",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T02:01:29.056Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
        },
        {
          "name": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
        },
        {
          "name": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
        }
      ],
      "source": {
        "advisory": "GHSA-2q8q-8fgw-9p6p",
        "discovery": "UNKNOWN"
      },
      "title": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55001",
    "datePublished": "2025-08-09T02:01:29.056Z",
    "dateReserved": "2025-08-04T17:34:24.421Z",
    "dateUpdated": "2025-08-11T14:45:37.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-55000 (GCVE-0-2025-55000)

Vulnerability from cvelistv5 – Published: 2025-08-09 02:01 – Updated: 2025-08-11 14:43
VLAI
Title
OpenBao TOTP Secrets Engine Enables Code Reuse
Summary
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-156 - Improper Neutralization of Whitespace
Assigner
Impacted products
Vendor Product Version
openbao openbao Affected: >= 0.1.0, < 2.3.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-55000",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T14:42:51.463552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T14:43:10.004Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openbao",
          "vendor": "openbao",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 2.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao\u0027s TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-156",
              "description": "CWE-156: Improper Neutralization of Whitespace",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T02:01:16.409Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
        },
        {
          "name": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
        },
        {
          "name": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
        }
      ],
      "source": {
        "advisory": "GHSA-f7c3-mhj2-9pvg",
        "discovery": "UNKNOWN"
      },
      "title": "OpenBao TOTP Secrets Engine Enables Code Reuse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-55000",
    "datePublished": "2025-08-09T02:01:16.409Z",
    "dateReserved": "2025-08-04T17:34:24.421Z",
    "dateUpdated": "2025-08-11T14:43:10.004Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-6014 (GCVE-0-2025-6014)

Vulnerability from cvelistv5 – Published: 2025-08-01 17:50 – Updated: 2025-08-01 18:05
VLAI
Title
Vault TOTP Secrets Engine Code Reuse
Summary
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-156 - Improper Neutralization of Whitespace
Assigner
Impacted products
Vendor Product Version
HashiCorp Vault Affected: 0 , < 1.20.1 (semver)
Create a notification for this product.
HashiCorp Vault Enterprise Affected: 0 , < 1.20.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6014",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-01T18:05:29.589836Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-01T18:05:37.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.19.7",
                  "status": "unaffected"
                },
                {
                  "at": "1.18.12",
                  "status": "unaffected"
                },
                {
                  "at": "1.16.23",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.20.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-153",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-153: Input Data Manipulation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-156",
              "description": "CWE-156: Improper Neutralization of Whitespace",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-01T17:50:09.308Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
        }
      ],
      "source": {
        "advisory": "HCSEC-2025-17",
        "discovery": "EXTERNAL"
      },
      "title": "Vault TOTP Secrets Engine Code Reuse"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2025-6014",
    "datePublished": "2025-08-01T17:50:09.308Z",
    "dateReserved": "2025-06-11T19:02:59.572Z",
    "dateUpdated": "2025-08-01T18:05:37.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-6013 (GCVE-0-2025-6013)

Vulnerability from cvelistv5 – Published: 2025-08-06 10:06 – Updated: 2026-02-26 17:49
VLAI
Title
Vault LDAP MFA Enforcement Bypass When Using Username As Alias
Summary
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-156 - Improper Neutralization of Whitespace
Assigner
Impacted products
Vendor Product Version
HashiCorp Vault Affected: 1.10.0 , < 1.20.2 (semver)
Create a notification for this product.
HashiCorp Vault Enterprise Affected: 1.10.0 , < 1.20.2 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6013",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T03:55:19.963641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T17:49:53.769Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "lessThan": "1.20.2",
              "status": "affected",
              "version": "1.10.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "64 bit",
            "32 bit",
            "x86",
            "ARM",
            "MacOS",
            "Windows",
            "Linux"
          ],
          "product": "Vault Enterprise",
          "repo": "https://github.com/hashicorp/vault",
          "vendor": "HashiCorp",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.19.8",
                  "status": "unaffected"
                },
                {
                  "at": "1.18.13",
                  "status": "unaffected"
                },
                {
                  "at": "1.16.24",
                  "status": "unaffected"
                }
              ],
              "lessThan": "1.20.2",
              "status": "affected",
              "version": "1.10.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eVault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.\u003c/p\u003e\u003cbr/\u003e"
            }
          ],
          "value": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-156",
              "description": "CWE-156: Improper Neutralization of Whitespace",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-06T10:06:55.668Z",
        "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
        "shortName": "HashiCorp"
      },
      "references": [
        {
          "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
        }
      ],
      "source": {
        "advisory": "HCSEC-2025-20",
        "discovery": "EXTERNAL"
      },
      "title": "Vault LDAP MFA Enforcement Bypass When Using Username As Alias"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc",
    "assignerShortName": "HashiCorp",
    "cveId": "CVE-2025-6013",
    "datePublished": "2025-08-06T10:06:55.668Z",
    "dateReserved": "2025-06-11T19:00:51.574Z",
    "dateUpdated": "2026-02-26T17:49:53.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-2Q8Q-8FGW-9P6P

Vulnerability from github – Published: 2025-08-08 15:17 – Updated: 2025-08-11 13:56
VLAI
Summary
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
Details

Impact

OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the username_as_alias=true parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.

Patches

OpenBao v2.3.2 will patch this issue.

Workarounds

LDAP methods are only vulnerable if using username_as_alias=true. Remove all usage of this parameter and update any entity aliases accordingly.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6013
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250807212521-c52795c1ef74"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-156"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T15:17:09Z",
    "nvd_published_at": "2025-08-09T03:15:46Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using the `username_as_alias=true` parameter in the LDAP auth method, the caller-supplied username is used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\n### Workarounds\n\nLDAP methods are only vulnerable if using `username_as_alias=true`. Remove all usage of this parameter and update any entity aliases accordingly.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6013",
  "id": "GHSA-2q8q-8fgw-9p6p",
  "modified": "2025-08-11T13:56:49Z",
  "published": "2025-08-08T15:17:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-2q8q-8fgw-9p6p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55001"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/c52795c1ef746c7f2c510f9225aa8ccbbd44f9fc"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias"
}

GHSA-7RX2-769V-HRWF

Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 18:14
VLAI
Summary
HashiCorp Vault ldap auth method may not have correctly enforced MFA
Details

Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.20.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-156"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-06T18:14:06Z",
    "nvd_published_at": "2025-08-06T10:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24.",
  "id": "GHSA-7rx2-769v-hrwf",
  "modified": "2025-08-06T18:14:06Z",
  "published": "2025-08-06T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6013"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-20-vault-ldap-mfa-enforcement-bypass-when-using-username-as-alias/76092"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HashiCorp Vault ldap auth method may not have correctly enforced MFA"
}

GHSA-F7C3-MHJ2-9PVG

Vulnerability from github – Published: 2025-08-08 14:42 – Updated: 2025-08-11 13:56
VLAI
Summary
OpenBao TOTP Secrets Engine Code Reuse
Details

Impact

OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.

Patches

OpenBao v2.3.2 will patch this issue.

In patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.

Workarounds

TOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.

References

This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:

  • https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036
  • https://nvd.nist.gov/vuln/detail/CVE-2025-6014
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "2.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/openbao/openbao"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20250806193153-183891f8d535"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-156"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T14:42:49Z",
    "nvd_published_at": "2025-08-09T03:15:46Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOpenBao\u0027s TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library.\n\n### Patches\n\nOpenBao v2.3.2 will patch this issue.\n\nIn patching, codes which were not normalized (strictly N numeric digits) will now be rejected. This is a potentially breaking change.\n\n### Workarounds\n\nTOTP code verification is a privileged action; only trusted systems should be verifying codes. Ensure that all codes are first normalized before submitting to the OpenBao endpoint.\n\n### References\n\nThis issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets:\n\n- https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036\n- https://nvd.nist.gov/vuln/detail/CVE-2025-6014",
  "id": "GHSA-f7c3-mhj2-9pvg",
  "modified": "2025-08-11T13:56:44Z",
  "published": "2025-08-08T14:42:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/security/advisories/GHSA-f7c3-mhj2-9pvg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55000"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openbao/openbao/commit/183891f8d535d5b6eb3d79fda8200cade6de99e1"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openbao/openbao"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenBao TOTP Secrets Engine Code Reuse"
}

GHSA-QV3P-FMV3-9HWW

Vulnerability from github – Published: 2025-08-01 18:31 – Updated: 2025-08-01 21:08
VLAI
Summary
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
Details

Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-156"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-01T21:08:57Z",
    "nvd_published_at": "2025-08-01T18:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Vault and Vault Enterprise\u2019s (\u201cVault\u201d) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.",
  "id": "GHSA-qv3p-fmv3-9hww",
  "modified": "2025-08-01T21:08:57Z",
  "published": "2025-08-01T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6014"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-17-vault-totp-secrets-engine-code-reuse/76036"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hashicorp Vault\u0027s TOTP Secrets Engine Susceptible to Code Reuse "
}

GHSA-R3JX-6XF2-CCH5

Vulnerability from github – Published: 2025-11-20 21:30 – Updated: 2025-11-21 00:30
VLAI
Details

HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-55127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-156"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T19:16:19Z",
    "severity": "MODERATE"
  },
  "details": "HackerOne community member Dao Hoang Anh (yoyomiski) has reported an improper neutralization of whitespace in the username when adding new users. A username with leading or trailing whitespace could be virtually indistinguishable from its legitimate counterpart when the username is displayed in the UI, potentially leading to confusion.",
  "id": "GHSA-r3jx-6xf2-cch5",
  "modified": "2025-11-21T00:30:21Z",
  "published": "2025-11-20T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55127"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3413764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Developers should anticipate that whitespace will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

No CAPEC attack patterns related to this CWE.