2405883 – (CVE-2025-62513) CVE-2025-62513 github.com/openbao/openbao/audit: OpenBao leaks HTTPRawBody in Audit Logs

Bug 2405883 (CVE-2025-62513) - CVE-2025-62513 github.com/openbao/openbao/audit: OpenBao leaks HTTPRawBody in Audit Logs

Summary: CVE-2025-62513 github.com/openbao/openbao/audit: OpenBao leaks HTTPRawBody in...

Keywords:
Status:	NEW
Alias:	CVE-2025-62513
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2405900 2405901 2405902 2405903 2405904
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-22 20:01 UTC by OSIDB Bzimport
Modified:	2025-10-22 20:15 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-22 20:01:58 UTC

OpenBao is an open source identity-based secrets management system. In versions 2.2.0 to 2.4.1, OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This impacts those using the ACME functionality of PKI, resulting in short-lived ACME verification challenge codes being leaked in the audit logs. Additionally, this impacts those using the OIDC issuer functionality of the identity subsystem, auth and token response codes along with claims could be leaked in the audit logs. ACME verification codes are not usable after verification or challenge expiry so are of limited long-term use. This issue has been patched in OpenBao 2.4.2.

Note You need to log in before you can comment on or make changes to this bug.