Key Information Vulnerability Overview Vulnerability Name: OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse CVE ID: CVE-2025-55003 Severity: Medium (CVSS v3 Base Score: 5.7/10) Impact Affected Versions: <2.3.2 Fixed Version: 2.3.2 Description: OpenBao’s login Multi-Factor Authentication (MFA) system enforces MFA using Time-based One-Time Passwords (TOTP). Due to normalization applied by the underlying TOTP library, codes containing spaces are accepted. These spaces can bypass the internal rate limiting of the MFA method and allow reuse of existing MFA codes. Mitigation Patch: OpenBao v2.3.2 will fix this issue. Workaround: Rate limit quotas can be used to limit an attacker’s ability to exploit this vulnerability: https://openbao.org/api-docs/system/rate-limit-quotas/ References This issue was disclosed to HashiCorp and is equivalent to the following tickets for OpenBao: - https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038 - https://nvd.nist.gov/vuln/detail/CVE-2025-6015