CVE-2025-62705: 
Wolfi vulnerability analysis and mitigation

OpenBao, an open source identity-based secrets management system, was found to have a vulnerability (CVE-2025-62705) where its audit log failed to properly redact fields when subsystems sent []byte response parameters instead of strings. This vulnerability was discovered on October 22, 2025, affecting all versions prior to 2.4.2. The issue impacts both OpenBao and continues to affect HashiCorp Vault through version 1.20.4 (GitHub Advisory, NVD).

The vulnerability stems from improper handling of []byte data types within the audit logging subsystem. When responses from subsystems like sys/raw contained sensitive data in []byte fields, the audit logging mechanism failed to redact or HMAC this data before writing it to logs. The issue received a CVSS v4.0 base score of 5.7 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 4.9 (Medium) (Miggo, NVD).

The vulnerability could lead to sensitive data exposure in audit logs, specifically affecting two main scenarios: when using sys/raw with encoding=base64, where all data would be emitted unredacted to the audit log, and in Transit operations when performing signing operations with derived Ed25519 keys, where public keys would be exposed in the audit log. Third-party plugins may also be affected (GitHub Advisory).

The issue has been patched in OpenBao version 2.4.2. For users unable to update immediately, a workaround is available: if the affected functionality is not required, users can prohibit the use of sys/raw globally by ensuring rawstorageendpoint=false is set or missing from the server configuration (GitHub Advisory).