Sign In

CVE-2025-52894

ADVISORY - github

Summary

Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

Patches

In OpenBao v2.2.2 and later, manually setting the configuration option disable_unauthed_rekey_endpoints=true allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release communicated on our website, we will set this to true for all users and provide an authenticated alternative.

This vulnerability has been disclosed to HashiCorp; see their website for more information.

Workarounds

If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges.

References

See the deprecation notice.

EPSS Score: 0.0005 (0.154)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-20

Improper Input Validation

ADVISORY - github

CWE-20

Improper Input Validation

CWE-306

Missing Authentication for Critical Function

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-20

Improper Input Validation

CWE-306

Missing Authentication for Critical Function

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in