CVE-2025-62513 – OpenBao versions 2.2.0 to 2.4.1 have an audit l... (How to Fix)

Q: What is the severity of CVE-2025-62513?

CVE-2025-62513 has a CVSS score of 7.5 (HIGH). OpenBao versions 2.2.0 to 2.4.1 have an audit log regression where raw HTTP bodies for certain endpoints aren't properly redacted. This leaks ACME verification challenge codes and OIDC auth/token response codes with claims in audit logs. Organizations using OpenBao's ACME PKI functionality or OIDC identity subsystem are affected.

📋 TL;DR

OpenBao versions 2.2.0 to 2.4.1 have an audit log regression where raw HTTP bodies for certain endpoints aren't properly redacted. This leaks ACME verification challenge codes and OIDC auth/token response codes with claims in audit logs. Organizations using OpenBao's ACME PKI functionality or OIDC identity subsystem are affected.

💻 Affected Systems

Products:

OpenBao

Versions: 2.2.0 to 2.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using ACME PKI functionality or OIDC identity subsystem features.

📦 What is this software?

Openbao by Openbao

View all CVEs affecting Openbao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with access to audit logs could obtain ACME verification codes before expiry or OIDC auth/token codes, potentially enabling unauthorized certificate issuance or identity impersonation.

🟠

Likely Case

Sensitive authentication codes and claims are exposed in audit logs, allowing privileged insiders or attackers with log access to view sensitive authentication data.

🟢

If Mitigated

With proper log access controls and short code expiry times, the impact is limited to temporary exposure of time-sensitive authentication data.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to audit logs, which typically requires some level of system access or privilege.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2

Vendor Advisory: https://github.com/openbao/openbao/security/advisories/GHSA-ghfh-fmx4-26h8

Restart Required: Yes

Instructions:

1. Backup OpenBao configuration and data. 2. Download OpenBao 2.4.2 from official repository. 3. Stop OpenBao service. 4. Replace binary with patched version. 5. Restart OpenBao service. 6. Verify service is running correctly.

🔧 Temporary Workarounds

Disable affected functionality

all

Temporarily disable ACME PKI or OIDC identity subsystem features until patching is possible.

Restrict audit log access

all

Implement strict access controls on audit log storage and viewing to limit exposure.

🧯 If You Can't Patch

Implement strict access controls on audit log storage and viewing
Monitor audit logs for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenBao version using 'openbao version' command and verify if between 2.2.0 and 2.4.1 inclusive.

Check Version:

openbao version

Verify Fix Applied:

After patching, verify version is 2.4.2 or higher using 'openbao version' command.

📡 Detection & Monitoring

Log Indicators:

Unredacted ACME challenge codes or OIDC auth/token codes in audit logs
Sensitive claims data in audit logs

Network Indicators:

Unauthorized access attempts to audit log storage

SIEM Query:

source="openbao-audit" AND (message="*challenge*" OR message="*token*" OR message="*auth*")

📊 Metadata

CVE ID: CVE-2025-62513

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0.05% exploit probability (13.5th percentile)

Published: October 22, 2025

Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62513, you might also want to check these: