CVE-2025-54997: 
Linux Alpine vulnerability analysis and mitigation

OpenBao, a software solution for managing sensitive data including secrets, certificates, and keys, was found to contain a critical vulnerability (CVE-2025-54997) in versions 2.3.1 and below. The vulnerability was discovered and disclosed on August 8, 2025. The issue allows privileged API operators to bypass system code execution and network connection restrictions through the audit subsystem by manipulating log prefixes (GitHub Advisory, NVD).

The vulnerability exists in OpenBao's audit subsystem where privileged operators with write permissions to the sys/audit endpoint can use the file audit device to write arbitrary files to disk. When combined with plugin registration and usage, this functionality could be exploited to execute arbitrary code on the underlying host. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows unauthorized code execution and network access that violates the intended security model. Under certain threat models, OpenBao operators with privileged API access who normally lack system administrator privileges could gain the ability to update binaries, execute code on the system, and perform TCP connections to arbitrary hosts in the environment where OpenBao is executing (GitHub Advisory).

The vulnerability has been fixed in OpenBao version 2.3.2. The fix introduces two new server configuration options: unsafeallowapiauditcreation (default: false) which controls the ability to create audit mounts via the API, and allowauditlog_prefixing (default: false) which controls the availability of the prefix audit mount option. As a workaround, users can block access to sys/audit/* endpoints using explicit deny policies, although this would not restrict root-level operators (GitHub Release).