CVE-2025-62513
EPSS 0.05%OpenBao leaks HTTPRawBody in Audit Logs
Description
### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacted the following subsystems: - When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs. - When using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. Third-party plugins may be affected. ### Patches OpenBao v2.4.2 will patch this issue. ### Workarounds If users do not use the above functionality, they are not impacted. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use.
Affected packages (2)
- Go/github.com/openbao/openbao>= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
- Go/github.com/openbao/openbao>= 0.0.0-20241114205727-b1235e585db7, < 0.0.0-20251022165510-cc2c476bac66
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |