A vital denial-of-service vulnerability in HashiCorp Vault may enable malicious actors to overwhelm servers with specifically crafted JSON payloads, resulting in extreme useful resource consumption and rendering Vault cases unresponsive.
Tracked as CVE-2025-6203 and revealed on August 28, 2025, the flaw impacts each Vault Group and Enterprise editions from model 1.15.0 as much as a number of patched releases.
Operators are urged to improve to Vault 1.20.3 (Group and Enterprise), 1.19.9, 1.18.14, or 1.16.25 to mitigate the problem.
Reminiscence-Primarily based DoS Vulnerability
Vault’s audit gadgets are liable for logging each request interplay earlier than finishing the request.
A malicious consumer can submit a payload that meets the default max_request_size restrict (32 MiB by default) however leverages deeply nested JSON buildings or extreme entries to drive excessive CPU and reminiscence utilization within the audit subroutine.
Because the JSON parser recurses by way of lengthy string values or excessive object entry counts, reminiscence consumption spikes, triggering timeouts and inflicting the Vault server to grow to be unresponsive.
HashiCorp has launched new listener configuration choices to additional harden Vault towards abusive JSON payloads. The TCP listener might now be configured with:
max_json_depth: Most nesting depth for JSON objects.
max_json_string_value_length: Most size for string values.
max_json_object_entry_count: Most variety of key/worth pairs in an object.
max_json_array_element_count: Most components in a JSON array.
Operators can discover detailed steering within the API documentation for listener parameters and the Vault improve information.
HashiCorp acknowledges Darrell Bethea, Ph.D., of Certainly for responsibly reporting this vulnerability.
Threat FactorsDetailsAffected ProductsVault Group and Vault Enterprise 1.15.0 by way of 1.20.2, 1.19.8, 1.18.13, and 1.16.24ImpactDenial of ServiceExploit PrerequisitesNetwork entry to Vault listener; potential to submit HTTP API requests with crafted JSON payloadsCVSS 3.1 Score7.5 (Excessive)
Mitigations
To remediate CVE-2025-6203, prospects ought to improve to one of many patched variations: Vault Group Version 1.20.3 or Vault Enterprise editions 1.20.3, 1.19.9, 1.18.14, or 1.16.25.
Upgrading will allow built-in limits on JSON payload complexity, stopping the extreme recursion that triggers the Denial of Service.
Directors are additionally inspired to evaluation their max_request_size settings and apply listener-level constraints to JSON parsing as a part of a defense-in-depth technique.
Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates.
