x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-rc54-2g2c-g36g

[GoVulnBot]

Advisory GHSA-rc54-2g2c-g36g references a vulnerability in the following Go modules:

Module
github.com/openbao/openbao

Description:

Impact

OpenBao's audit log did not appropriately redact fields when relevant subsystems sent []byte response parameters rather than strings. This includes, but is not limited to:

• sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log.
• Transit, when performing a signing operation with a derived Ed25519 key, would emit public keys to the audit log.

Third-party plugins may be affected.

This issue has been present since HashiCorp Vault and continues to impact Vault as of v1.20.4.

Patches

OpenBao v2.4.2 will patch this issue.

Worka...

References:

• ADVISORY: GHSA-rc54-2g2c-g36g
• ADVISORY: GHSA-rc54-2g2c-g36g
• FIX: openbao/openbao@cc2c476

Cross references:

• github.com/openbao/openbao appears in 8 other report(s):
  • data/reports/GO-2025-3783.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h #3783)
  • data/reports/GO-2025-3853.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-f7c3-mhj2-9pvg #3853)
  • data/reports/GO-2025-3854.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-hh28-h22f-8357 #3854)
  • data/reports/GO-2025-3855.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx #3855)
  • data/reports/GO-2025-3856.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-rxp7-9q75-vj3p #3856)
  • data/reports/GO-2025-3857.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-vf84-mxrq-crqc #3857)
  • data/reports/GO-2025-3858.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-xp75-r577-cvhp #3858)
  • data/reports/GO-2025-3859.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-2q8q-8fgw-9p6p #3859)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/openbao/openbao
      versions:
        - fixed: 0.0.0-20251022165510-cc2c476bac66
summary: OpenBao and Vault Leak []byte Fields in Audit Logs in github.com/openbao/openbao
cves:
    - CVE-2025-62705
ghsas:
    - GHSA-rc54-2g2c-g36g
references:
    - advisory: https://github.com/advisories/GHSA-rc54-2g2c-g36g
    - advisory: https://github.com/openbao/openbao/security/advisories/GHSA-rc54-2g2c-g36g
    - fix: https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8
notes:
    - fix: 'github.com/openbao/openbao: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
    id: GHSA-rc54-2g2c-g36g
    created: 2025-10-22T20:01:44.206051188Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/715780 mentions this issue: data/reports: add 47 UNREVIEWED reports