x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-ghfh-fmx4-26h8 #4049
Description
Advisory GHSA-ghfh-fmx4-26h8 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/openbao/openbao |
Description:
Impact
OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacted the following subsystems:
- When using the ACME functionality of PKI, this would result in short-lived ACME verification challenge codes being leaked in the audit logs.
- When using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs.
Third-party plugins may be affected.
Patches
OpenBao v2.4.2 will patch this issue.
Workarounds
If users do...
References:
- ADVISORY: GHSA-ghfh-fmx4-26h8
- ADVISORY: GHSA-ghfh-fmx4-26h8
- FIX: openbao/openbao@cc2c476
Cross references:
- github.com/openbao/openbao appears in 8 other report(s):
- data/reports/GO-2025-3783.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h #3783)
- data/reports/GO-2025-3853.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-f7c3-mhj2-9pvg #3853)
- data/reports/GO-2025-3854.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-hh28-h22f-8357 #3854)
- data/reports/GO-2025-3855.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx #3855)
- data/reports/GO-2025-3856.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-rxp7-9q75-vj3p #3856)
- data/reports/GO-2025-3857.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-vf84-mxrq-crqc #3857)
- data/reports/GO-2025-3858.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-xp75-r577-cvhp #3858)
- data/reports/GO-2025-3859.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-2q8q-8fgw-9p6p #3859)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/openbao/openbao
versions:
- introduced: 0.0.0-20241114205727-b1235e585db7
- fixed: 0.0.0-20251022165510-cc2c476bac66
summary: OpenBao leaks HTTPRawBody in Audit Logs in github.com/openbao/openbao
cves:
- CVE-2025-62513
ghsas:
- GHSA-ghfh-fmx4-26h8
references:
- advisory: https://github.com/advisories/GHSA-ghfh-fmx4-26h8
- advisory: https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8
- fix: https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8
notes:
- fix: 'github.com/openbao/openbao: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-ghfh-fmx4-26h8
created: 2025-10-22T20:01:24.036617385Z
review_status: UNREVIEWED