Platform
go
Component
github.com/openbao/openbao
Fixed in
2.3.1
2.3.1
CVE-2025-52894 describes a denial-of-service vulnerability discovered in OpenBao, a Go-based service. This vulnerability allows an attacker to perform unauthenticated and unaudited cancellation of root rekey and recovery rekey operations, leading to service disruption. The vulnerability affects versions prior to 2.3.1, and a configuration fix is available for v2.2.2 and later.
The primary impact of CVE-2025-52894 is a denial-of-service (DoS). An attacker can exploit this vulnerability by sending requests to cancel rekey operations without authentication or auditing. This can disrupt critical operations within OpenBao, potentially impacting the availability of services relying on it. The lack of authentication means any external actor can trigger this, making it a significant risk. While the rekey operations are described as 'rarely-used,' their disruption can still have cascading effects on the system's overall functionality and security posture.
This vulnerability was publicly disclosed on 2025-06-26. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. No public proof-of-concept (PoC) code has been released. The vulnerability's impact is primarily a denial-of-service, which may reduce the likelihood of immediate widespread exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
The immediate mitigation for CVE-2025-52894 is to configure OpenBao to disable unauthenticated rekey endpoints. Specifically, set the configuration option disableunauthedrekey_endpoints=true in OpenBao versions 2.2.2 and later. This prevents external actors from triggering the rekey cancellations. In a future release, OpenBao plans to automatically enable this setting for all users and provide an authenticated alternative. There are no rollback steps required if this configuration is applied. After applying the configuration, verify the endpoints are inaccessible via a standard HTTP request to confirm the mitigation is effective.
Update OpenBao to version 2.3.0 or later. Alternatively, configure `disable_unauthed_rekey_endpoints=true` in the OpenBao configuration. If you have a proxy or load balancer in front of OpenBao, deny requests to the vulnerable endpoints from unauthorized IP ranges.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-52894 is a denial-of-service vulnerability in OpenBao, allowing unauthenticated cancellation of rekey operations, potentially disrupting service availability.
You are affected if you are running OpenBao versions prior to 2.3.1 and have not implemented the mitigation.
Set the configuration option disableunauthedrekey_endpoints=true in OpenBao v2.2.2 and later. Upgrade to version 2.3.1 or higher when available.
There is currently no evidence of active exploitation of CVE-2025-52894.
Refer to the OpenBao documentation at https://openbao.org/docs/deprecation/ for details and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.