x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h

Advisory [GHSA-prpj-rchp-9j5h](https://github.com/advisories/GHSA-prpj-rchp-9j5h) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/openbao/openbao/api](https://pkg.go.dev/github.com/openbao/openbao/api) |
| [github.com/openbao/openbao/api/v2](https://pkg.go.dev/github.com/openbao/openbao/api/v2) |

Description:
### Impact

OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service.

### Patches

In OpenBao v2.2.2 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners.

In a future OpenBao release [communicated on our website](https://openbao.org/docs/deprecation/), we will set this to `true` for all users and provide an authenticated alternative.

This vulnerability has been d...

References:
- ADVISORY: https://github.com/advisories/GHSA-prpj-rchp-9j5h
- ADVISORY: https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-52894
- FIX: https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b
- WEB: https://github.com/openbao/openbao/releases/tag/v2.3.1

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/openbao/openbao/api
      non_go_versions:
        - introduced: TODO (earliest fixed "2.3.1", vuln range ">= 2.2.2, <= 2.3.0")
      vulnerable_at: 1.12.2
    - module: github.com/openbao/openbao/api/v2
      vulnerable_at: 2.3.1
summary: |-
    OpenBao allows cancellation of root rekey and recovery rekey operations without
    authentication in github.com/openbao/openbao/api
cves:
    - CVE-2025-52894
ghsas:
    - GHSA-prpj-rchp-9j5h
references:
    - advisory: https://github.com/advisories/GHSA-prpj-rchp-9j5h
    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-52894
    - fix: https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b
    - web: https://github.com/openbao/openbao/releases/tag/v2.3.1
source:
    id: GHSA-prpj-rchp-9j5h
    created: 2025-06-26T22:05:16.32786617Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h #3783

Impact

Patches

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h #3783

Description

Impact

Patches

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions