Plattform
go
Komponente
github.com/openbao/openbao
Behoben in
2.3.1
2.3.1
CVE-2025-52894 describes a denial-of-service vulnerability discovered in OpenBao, a Go-based service. This vulnerability allows an attacker to perform unauthenticated and unaudited cancellation of root rekey and recovery rekey operations, leading to service disruption. The vulnerability affects versions prior to 2.3.1, and a configuration fix is available for v2.2.2 and later.
The primary impact of CVE-2025-52894 is a denial-of-service (DoS). An attacker can exploit this vulnerability by sending requests to cancel rekey operations without authentication or auditing. This can disrupt critical operations within OpenBao, potentially impacting the availability of services relying on it. The lack of authentication means any external actor can trigger this, making it a significant risk. While the rekey operations are described as 'rarely-used,' their disruption can still have cascading effects on the system's overall functionality and security posture.
This vulnerability was publicly disclosed on 2025-06-26. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's impact is primarily a denial-of-service, which may reduce the likelihood of immediate widespread exploitation.
Organizations utilizing OpenBao for secrets management and relying on its rekey functionality are at risk. Specifically, deployments with older versions (prior to 2.3.1) and those not actively monitoring their OpenBao instances are particularly vulnerable.
• linux / server:
journalctl -u openbao | grep -i "rekey cancellation"• generic web:
curl -I http://<openbao_host>/rekey/cancel(Expect a 403 Forbidden or similar error after mitigation)
disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
The immediate mitigation for CVE-2025-52894 is to configure OpenBao to disable unauthenticated rekey endpoints. Specifically, set the configuration option disableunauthedrekey_endpoints=true in OpenBao versions 2.2.2 and later. This prevents external actors from triggering the rekey cancellations. In a future release, OpenBao plans to automatically enable this setting for all users and provide an authenticated alternative. There are no rollback steps required if this configuration is applied. After applying the configuration, verify the endpoints are inaccessible via a standard HTTP request to confirm the mitigation is effective.
Actualice OpenBao a la versión 2.3.0 o posterior. Como alternativa, configure `disable_unauthed_rekey_endpoints=true` en la configuración de OpenBao. Si tiene un proxy o balanceador de carga frente a OpenBao, deniegue las solicitudes a los endpoints vulnerables desde rangos de IP no autorizados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-52894 is a denial-of-service vulnerability in OpenBao, allowing unauthenticated cancellation of rekey operations, potentially disrupting service availability.
You are affected if you are running OpenBao versions prior to 2.3.1 and have not implemented the mitigation.
Set the configuration option disableunauthedrekey_endpoints=true in OpenBao v2.2.2 and later. Upgrade to version 2.3.1 or higher when available.
There is currently no evidence of active exploitation of CVE-2025-52894.
Refer to the OpenBao documentation at https://openbao.org/docs/deprecation/ for details and updates regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.