CVE-2025-62513 Overview
CVE-2025-62513 is an information disclosure vulnerability in OpenBao, an open source identity-based secrets management system. A regression in versions 2.2.0 through 2.4.1 caused raw HTTP response bodies from specific endpoints to bypass audit log redaction. The audit subsystem failed to HMAC the HTTPRawBody response parameter, exposing sensitive data in plaintext within audit records. Affected functionality includes the Automatic Certificate Management Environment (ACME) feature of the PKI secrets engine and the OpenID Connect (OIDC) issuer in the identity subsystem. Leaked data includes short-lived ACME verification challenge codes, OIDC authentication responses, token response codes, and identity claims. The issue is tracked as CWE-532: Insertion of Sensitive Information into Log File and resolved in OpenBao 2.4.2.
Critical Impact
Operators with audit log access can read ACME challenge codes and OIDC tokens or claims that should have been redacted, undermining the confidentiality boundary of the secrets manager.
Affected Products
- OpenBao 2.2.0 through 2.4.1
- OpenBao PKI secrets engine using ACME functionality
- OpenBao identity subsystem using OIDC issuer functionality
Discovery Timeline
- 2025-10-22 - CVE-2025-62513 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2025-62513
Vulnerability Analysis
OpenBao's audit subsystem is designed to HMAC sensitive request and response fields before persisting them to audit logs. A regression introduced in version 2.2.0 broke this guarantee for endpoints that return raw HTTP response bodies through the HTTPRawBody response parameter. Instead of redacting these byte payloads, the formatter wrote them in cleartext to every configured audit sink.
Two subsystems emit HTTPRawBody responses. The PKI engine's ACME endpoints return verification challenge tokens during certificate issuance. The identity subsystem's OIDC issuer returns authorization codes, token responses, and identity claims during OAuth flows. Both response classes ended up persisted in audit logs intended only to record HMAC fingerprints.
ACME challenge codes expire after verification or challenge timeout, limiting their long-term utility. OIDC tokens and claims, however, can carry session validity sufficient for replay against relying parties.
Root Cause
The regression originated in audit log formatting logic that did not enumerate []byte typed response parameters during redaction. The patch refactors audit/format.go to ensure raw body fields are HMAC'd alongside other sensitive values. The accompanying changelog entry explicitly notes: audit: redact HTTPRawBody response parameter in audit logs; CVE-2025-62513.
Attack Vector
Exploitation requires high privileges — read access to the audit log destination (file, socket, or syslog sink). An attacker with audit log visibility passively harvests challenge codes or OIDC artifacts as legitimate operations occur. The vulnerability is not remotely triggerable without prior audit log access, which constrains the exposure to insider threat or post-compromise scenarios where audit storage has been reached.
// Patch excerpt from audit/format.go demonstrating the redaction refactor
// Source: https://github.com/openbao/openbao/commit/cc2c476bac66e1d94776c2629793daec3af625f8
func doElideListResponseData(data map[string]interface{}) {
for k, v := range data {
switch k {
case "keys":
if vSlice, ok := v.([]interface{}); ok {
data[k] = len(vSlice)
} else if vSlice, ok := v.([]string); ok {
data[k] = len(vSlice)
}
}
}
}
# changelog/2002.txt
release-note:security
audit: redact `HTTPRawBody` response parameter in audit logs; CVE-2025-62513 / GHSA-ghfh-fmx4-26h8.
release-note:security
audit: redact `[]byte` type response parameters in audit logs; GHSA-rc54-2g2c-g36g.
Detection Methods for CVE-2025-62513
Indicators of Compromise
- Audit log entries containing cleartext HTTPRawBody fields rather than hmac-sha256: prefixed values.
- ACME challenge tokens or OIDC id_token, access_token, or code strings appearing inline in audit JSON records.
- Unexpected access patterns to audit log files or remote syslog targets storing OpenBao audit data.
Detection Strategies
- Grep audit logs for JSON keys such as HTTPRawBody, id_token, and access_token returning string values that are not HMAC-formatted.
- Compare audit record schemas before and after upgrading to 2.4.2 to confirm previously exposed fields are now redacted.
- Hunt for processes or accounts that read OpenBao audit sinks outside of the expected backup or SIEM ingestion workflow.
Monitoring Recommendations
- Forward OpenBao audit logs to a centralized log platform with strict access controls and file integrity monitoring.
- Alert on shell access, cat, or tail against audit log paths on OpenBao nodes.
- Track issuance of ACME challenges and OIDC tokens for replay attempts against relying parties.
How to Mitigate CVE-2025-62513
Immediate Actions Required
- Upgrade OpenBao to version 2.4.2 or later on every node in the cluster.
- Rotate any OIDC client secrets and force re-authentication for sessions issued during the vulnerable window if logs were accessible to untrusted parties.
- Restrict audit log storage to least-privilege accounts and review historical access.
- Purge or sanitize archived audit logs that contain unredacted HTTPRawBody values.
Patch Information
The fix landed in OpenBao 2.4.2. Review the GitHub Security Advisory GHSA-ghfh-fmx4-26h8 and the audit formatting commit cc2c476 for implementation details. The patch redacts both HTTPRawBody and other []byte response parameters.
Workarounds
- If immediate upgrade is not possible, disable ACME endpoints on the PKI mount and the OIDC issuer on the identity mount until patched.
- Tighten audit device permissions so only privileged operators can read sinks.
- Route audit logs through a transformation pipeline that strips HTTPRawBody fields before storage.
# Verify installed version and upgrade
bao version
# Upgrade to the patched release
# (example for binary install)
curl -L -o openbao_2.4.2_linux_amd64.zip \
https://github.com/openbao/openbao/releases/download/v2.4.2/openbao_2.4.2_linux_amd64.zip
unzip -o openbao_2.4.2_linux_amd64.zip
systemctl restart openbao
# Optional: temporarily disable ACME on the PKI mount
bao write pki/config/acme enabled=false
# Optional: disable OIDC issuer until patched
bao delete identity/oidc/config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
