CVE-2025-62705: 
Wolfi vulnerability analysis and mitigation

OpenBao, an open source identity-based secrets management system, was found to have a vulnerability in its audit log functionality prior to version 2.4.2. The vulnerability (CVE-2025-62705) involves improper redaction of fields when subsystems send []byte response parameters instead of strings. This security issue was discovered and disclosed on October 22, 2025 (GitHub Advisory).

The vulnerability is classified with CWE-532 (Insertion of Sensitive Information into Log File). It has been assigned a CVSS v4.0 score of 5.7 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue specifically affects the audit log system when handling []byte response parameters, particularly in sys/raw with encoding=base64 and Transit operations with derived Ed25519 key signing (GitHub Advisory).

The vulnerability results in sensitive information being exposed in audit logs. This includes unredacted data from sys/raw operations when using base64 encoding and public keys from Transit operations during signing operations with derived Ed25519 keys. The issue has been present since the HashiCorp Vault codebase and continues to impact Vault as of v1.20.4 (GitHub Advisory).

The issue has been patched in OpenBao version 2.4.2. For users unable to update immediately, a workaround is available by ensuring rawstorageendpoint=false is set or missing from the server configuration to prohibit the use of sys/raw globally. Users who do not use the affected functionality (sys/raw with base64 encoding or Transit with Ed25519 key signing) are not impacted (GitHub Advisory).