CVE-2025-52894

ADVISORY - github

Summary

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

EPSS Score⁠: 0.0005 (0.154)

Common Weakness Enumeration (CWE)

ADVISORY - nist

NIST

CREATED

9 months ago

UPDATED

7 months ago

ADVISORY IDCVE-2025-52894⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠

CVSS SCORE

6.9medium

GitHub

CREATED

9 months ago

UPDATED

7 months ago

ADVISORY IDGHSA-prpj-rchp-9j5h⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-20⁠CWE-306⁠

CVSS SCORE

6.9medium

Alpine

CREATED

8 months ago

UPDATED

1 month ago

ADVISORY IDCVE-2025-52894⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

GoLang

CREATED

8 months ago

UPDATED

7 months ago

ADVISORY IDGO-2025-3783⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

GitLab

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY ID

CVE-2025-52894

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-20⁠CWE-306⁠CWE-937⁠

CVSS SCORE

N/Aunspecified