Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group identity group, escalating their or another user's permissions in the system. Specifically this is an issue when:
identity/groups endpoints.Otherwise, an operator with policy access could create or modify an existing policy to grant root-equivalent permissions through the sudo capability.
Patched in version 2.4.4.
Users should audit the use of identity subsystem and deny operators access if it is not in use.
| Score | Percentile |
|---|---|
| 0.05% | 15.88% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.5 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-7ff4-jw48-3436 ↗ |
| CVE | CVE-2025-64761 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/openbao/openbao | < 2.4.4 | 2.4.4 | — |