CVE-2025-54999: 
Wolfi vulnerability analysis and mitigation

OpenBao, a software solution for managing sensitive data including secrets, certificates, and keys, was found to contain a timing side-channel vulnerability (CVE-2025-54999) in versions 0.1.0 through 2.3.1. The vulnerability was discovered in the userpass authentication method, where user enumeration was possible due to timing differences between non-existent users and users with stored credentials, regardless of password validity. The issue was disclosed on August 8, 2025, and was fixed in version 2.3.2 (NVD, GitHub Advisory).

The vulnerability stems from a timing side-channel in the userpass authentication method implementation. The system attempted to mitigate timing-based information leaks by invoking bcrypt with a placeholder string for non-existent usernames, but the implementation was flawed because CompareHashAndPassword would exit early if the hash format was invalid. This timing difference made it possible to distinguish between existing and non-existing users. The vulnerability has been assigned a CVSS v3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD, HashiCorp Discussion).

The vulnerability allows attackers to enumerate valid usernames in the userpass authentication method through timing analysis. This could potentially be used as part of a broader attack strategy to identify valid users in the system, though the attack complexity is considered high due to the nature of timing-based attacks (GitHub Advisory).

The vulnerability has been fixed in OpenBao version 2.3.2. For users unable to upgrade immediately, two workarounds are available: using an alternative authentication method or implementing rate-limiting quotas to restrict the number of requests within a specific time period. The rate-limiting can be configured through OpenBao's rate-limit-quotas system (GitHub Advisory).