CVE-2025-55003: 
Homebrew vulnerability analysis and mitigation

CVE-2025-55003 affects OpenBao's Login Multi-Factor Authentication (MFA) system in versions 2.3.1 and below. The vulnerability was discovered and disclosed on August 8, 2025. The issue exists in OpenBao's TOTP (Time-based One Time Password) implementation where whitespace in TOTP codes could bypass internal rate limiting and allow code reuse (GitHub Advisory).

The vulnerability stems from incorrect normalization of TOTP codes prior to enforcing the once-per-validity-window check. Due to normalization applied by the underlying TOTP library, codes containing whitespace were accepted, which could bypass internal rate limiting of the MFA method. The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity, requiring low privileges and user interaction (GitHub Advisory, NVD).

The vulnerability allows attackers to bypass MFA protections by reusing TOTP codes that contain whitespace, potentially leading to unauthorized access to sensitive data including secrets, certificates, and keys stored in OpenBao (NVD).

The vulnerability has been fixed in OpenBao version 2.3.2. As a workaround before upgrading, organizations can implement rate-limiting quotas to limit an attacker's ability to exploit this vulnerability. The fix includes proper validation of TOTP code length and improved error handling for code reuse attempts (GitHub Advisory, GitHub Commit).