A critical vulnerability in HashiCorp Vault—tracked as CVE-2025-6203 and HCSEC-2025-24—has been disclosed that allows malicious actors to submit specially crafted payloads capable of exhausting server resources and rendering Vault instances unresponsive.
The flaw affects both Vault Community and Enterprise editions, spanning versions 1.15.0 through 1.20.2 (with select earlier patch versions), and was publicly disclosed on August 28, 2025.
An upgrade to fixed releases, including Vault 1.20.3 and corresponding Enterprise patches, eliminates the risk.
Vault’s auditing subsystem logs every request before completing operations. By sending a complex request payload that complies with the default 32 MiB request size limit but triggers deep or expansive JSON structures, attackers can force excessive memory and CPU usage.
This intensified resource consumption can timeout the audit process, causing the Vault server’s main thread to stall and ultimately crash or hang.
| Field | Details |
| CVE Identifier | CVE-2025-6203 (HCSEC-2025-24) |
| Publication Date | August 28, 2025 |
| Affected Products/Versions | Vault Community and Vault Enterprise 1.15.0 through 1.20.2; additionally 1.19.8, 1.18.13, and 1.16.24 |
| Fixed Versions | Vault Community Edition 1.20.3; Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25 |
In response to CVE-2025-6203, HashiCorp has introduced new listener configuration parameters to better constrain JSON payloads. Operators can now enforce limits on:
- max_json_depth
- max_json_string_value_length
- max_json_object_entry_count
- max_json_array_element_count
These options complement the existing max_request_size setting and can be applied per listener in Vault’s TCP listener configuration.
Detailed guidance on these parameters is available in the Vault API documentation and upgrade guide.
Affected Products and Versions
| Product Edition | Affected Versions | Fixed Versions |
| Vault Community | 1.15.0 through 1.20.2 | 1.20.3 |
| Vault Enterprise | 1.20.2, 1.19.8, 1.18.13, 1.16.24 | 1.20.3, 1.19.9, 1.18.14, 1.16.25 |
Organizations running any of the affected versions should assess their exposure and plan an immediate upgrade to one of the patched releases.
Administrators are encouraged to review Vault’s listener configuration and enable the new JSON payload limits to mitigate similar risks in the future. Full upgrade instructions can be found in HashiCorp’s “Upgrading Vault” documentation.
HashiCorp Vault’s audit devices record every client interaction to ensure accountability and traceability.
However, because Vault blocks request completion until audit operations finish, any delay or failure in auditing translates to blocked API endpoints.
By overwhelming the audit pipeline, attackers can induce a denial-of-service condition without needing valid credentials or access tokens.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
