CVE-2025-62513: 
Wolfi vulnerability analysis and mitigation

OpenBao, an open source identity-based secrets management system, was found to have a vulnerability in versions 2.2.0 to 2.4.1. The vulnerability (CVE-2025-62513) involves a regression in OpenBao's audit log system where raw HTTP bodies from certain endpoints were not properly redacted through HMAC. The issue was discovered and disclosed on October 22, 2025, affecting the ACME functionality of PKI and OIDC issuer functionality of the identity subsystem (GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 base score of 5.7 (Medium severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is categorized under CWE-532 (Insertion of Sensitive Information into Log File). The vulnerability specifically affects the audit logging mechanism where raw HTTP bodies containing sensitive information were not properly HMAC'd before being written to logs (GitHub Advisory).

The vulnerability impacts two main functionalities: 1) ACME functionality of PKI, where short-lived ACME verification challenge codes are leaked in the audit logs, and 2) OIDC issuer functionality of the identity subsystem, where auth and token response codes along with claims could be exposed in the audit logs. Third-party plugins may also be affected. However, the ACME verification codes have limited long-term use as they become unusable after verification or challenge expiry (GitHub Advisory).

The vulnerability has been patched in OpenBao version 2.4.2. For users who cannot immediately update, a workaround exists: if the ACME functionality of PKI or OIDC issuer functionality is not in use, systems are not impacted by this vulnerability (GitHub Advisory).