Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. Patches OpenBao v2.3.2 will patch this issue. Workarounds Use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/ References This issue was disclosed to HashiCorp and is the OpenBao equivalent of the following tickets: https://discuss.hashicorp.com/t/hcsec-2025-19-vault-login-mfa-bypass-of-rate-limiting-and-totp-token-reuse/76038…Read More
GHSA-RXP7-9Q75-VJ3P OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
