CVE-2025-52894 – OpenBao before version 2.3.0 allows unauthentic... (How to Fix)

Q: What is the severity of CVE-2025-52894?

CVE-2025-52894 has a CVSS score of 7.5 (HIGH). OpenBao before version 2.3.0 allows unauthenticated attackers to cancel root rekey and recovery rekey operations, causing denial of service. This affects all OpenBao deployments with default configurations. The vulnerability is present in OpenBao versions before 2.3.0.

📋 TL;DR

OpenBao before version 2.3.0 allows unauthenticated attackers to cancel root rekey and recovery rekey operations, causing denial of service. This affects all OpenBao deployments with default configurations. The vulnerability is present in OpenBao versions before 2.3.0.

💻 Affected Systems

Products:

OpenBao

Versions: All versions before 2.3.0

Operating Systems: All platforms running OpenBao

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default in OpenBao versions before 2.3.0. OpenBao 2.2.0+ can mitigate by setting disable_unauthed_rekey_endpoints=true.

📦 What is this software?

Openbao by Openbao

View all CVEs affecting Openbao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of OpenBao operations by repeatedly canceling critical rekey operations, preventing legitimate key rotation and potentially locking out administrators.

🟠

Likely Case

Temporary denial of service affecting rekey operations, requiring manual intervention to restart the process.

🟢

If Mitigated

Minimal impact if proper authentication controls or network restrictions are in place.

🌐 Internet-Facing: HIGH - Unauthenticated endpoints accessible from the internet can be easily exploited for DoS.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to specific endpoints can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenBao 2.3.0

Vendor Advisory: https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h

Restart Required: Yes

Instructions:

1. Upgrade OpenBao to version 2.3.0 or later. 2. Restart the OpenBao service. 3. Verify the upgrade was successful.

🔧 Temporary Workarounds

Configuration mitigation

all

Set disable_unauthed_rekey_endpoints=true in OpenBao configuration for versions 2.2.0+

Set 'disable_unauthed_rekey_endpoints = true' in OpenBao configuration file

Network access control

all

Use proxy/load balancer to block unauthorized access to rekey endpoints

Configure firewall/proxy to deny requests to /v1/sys/rekey/init and /v1/sys/rekey/update from unauthorized IPs

🧯 If You Can't Patch

Implement network segmentation to restrict access to OpenBao endpoints
Deploy WAF or reverse proxy with strict access controls for rekey endpoints

🔍 How to Verify

Check if Vulnerable:

Check OpenBao version with 'openbao version' command. If version is below 2.3.0, system is vulnerable.

Check Version:

openbao version

Verify Fix Applied:

Verify OpenBao version is 2.3.0 or higher, or check configuration for disable_unauthed_rekey_endpoints=true setting.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /v1/sys/rekey/init or /v1/sys/rekey/update endpoints
Multiple rekey operation cancellations in short time

Network Indicators:

HTTP POST requests to rekey endpoints from unauthorized sources
Unusual traffic patterns to OpenBao rekey endpoints

SIEM Query:

source="openbao" AND (uri_path="/v1/sys/rekey/init" OR uri_path="/v1/sys/rekey/update") AND http_status=200 AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2025-52894

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

EPSS Score: 0.04% exploit probability (12.5th percentile)

Published: June 25, 2025

Last Updated: August 12, 2025

🔗 References

https://github.com/openbao/openbao/commit/fe75468822a22a88318c6079425357a02ae5b77b Patch
https://github.com/openbao/openbao/security/advisories/GHSA-prpj-rchp-9j5h Vendor Advisory
https://openbao.org/docs/deprecation Product
https://openbao.org/docs/deprecation/unauthed-rekey Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52894, you might also want to check these: