CVE-2025-62513: 
Wolfi vulnerability analysis and mitigation

OpenBao, an open source identity-based secrets management system, was found to have a vulnerability (CVE-2025-62513) where its audit log experienced a regression in versions 2.2.0 to 2.4.1. The vulnerability was discovered on October 22, 2025, and involves raw HTTP bodies used by certain endpoints not being correctly redacted (HMAC'd) (GitHub Advisory, NVD).

The vulnerability stems from a flaw in OpenBao's audit logging system where the HTTPRawBody field was not properly redacted in audit logs for specific endpoints. The system used a problematic two-copy approach for data hashing, which failed to correctly handle fields of type []byte, such as HTTPRawBody. The vulnerability has been assigned a CVSS v4.0 base score of 5.7 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N (GitHub Advisory, Miggo).

The vulnerability affects two main subsystems: 1) The ACME functionality of PKI, where short-lived ACME verification challenge codes are leaked in the audit logs, and 2) The OIDC issuer functionality of the identity subsystem, where auth and token response codes along with claims could be leaked in the audit logs. Third-party plugins may also be affected (GitHub Advisory).

The vulnerability has been patched in OpenBao version 2.4.2. For users who cannot immediately update, a workaround exists: if the ACME functionality of PKI or the OIDC issuer functionality of the identity subsystem is not in use, the system is not impacted by this vulnerability (GitHub Advisory).