Listen to this Post
How the CVE Works
OpenBao (and HashiCorp Vault) use the `mapstructure` library to decode input fields. When processing sensitive data, improper error handling in `WeakDecode()` leaks the original values in error messages. The vulnerability occurs in field_data.go, where malformed input (e.g., a map instead of a string) triggers an error containing the sensitive data. The `mapstructure` helpers (lines 679–787) expose unconverted values, leading to information disclosure in logs or API responses.
DailyCVE Form
Platform: OpenBao/HashiCorp Vault
Version: Latest (pre-patch)
Vulnerability: Information disclosure
Severity: Medium
Date: 2025-09
Prediction: Patch by Q4 2025
What Undercode Say
podman run -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
curl -X PUT -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf"
How Exploit
Send malformed input (map instead of string) to sensitive endpoints.
Protection from this CVE
Sanitize error messages.
Update to patched version.
Disable verbose logging.
Impact
Sensitive data exposure.
Limited mitigation.
Medium severity.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
