A critical denial-of-service vulnerability in HashiCorp Vault could allow malicious actors to overwhelm servers with specially crafted JSON payloads, leading to excessive resource consumption and rendering Vault instances unresponsive.
Tracked as CVE-2025-6203 and published on August 28, 2025, the flaw affects both Vault Community and Enterprise editions from version 1.15.0 up to several patched releases.
Operators are urged to upgrade to Vault 1.20.3 (Community and Enterprise), 1.19.9, 1.18.14, or 1.16.25 to mitigate the issue.
Memory-Based DoS Vulnerability
Vault’s audit devices are responsible for logging every request interaction before completing the request.
A malicious user can submit a payload that meets the default max_request_size limit (32 MiB by default) but leverages deeply nested JSON structures or excessive entries to force extreme CPU and memory usage in the audit subroutine.
As the JSON parser recurses through long string values or high object entry counts, memory consumption spikes, triggering timeouts and causing the Vault server to become unresponsive.
HashiCorp has introduced new listener configuration options to further harden Vault against abusive JSON payloads. The TCP listener may now be configured with:
- max_json_depth: Maximum nesting depth for JSON objects.
- max_json_string_value_length: Maximum length for string values.
- max_json_object_entry_count: Maximum number of key/value pairs in an object.
- max_json_array_element_count: Maximum elements in a JSON array.
Operators can find detailed guidance in the API documentation for listener parameters and the Vault upgrade guide.
HashiCorp acknowledges Darrell Bethea, Ph.D., of Indeed for responsibly reporting this vulnerability.
| Risk Factors | Details |
| Affected Products | Vault Community and Vault Enterprise 1.15.0 through 1.20.2, 1.19.8, 1.18.13, and 1.16.24 |
| Impact | Denial of Service |
| Exploit Prerequisites | Network access to Vault listener; ability to submit HTTP API requests with crafted JSON payloads |
| CVSS 3.1 Score | 7.5 (High) |
Mitigations
To remediate CVE-2025-6203, customers should upgrade to one of the patched versions: Vault Community Edition 1.20.3 or Vault Enterprise editions 1.20.3, 1.19.9, 1.18.14, or 1.16.25.
Upgrading will enable built-in limits on JSON payload complexity, preventing the excessive recursion that triggers the Denial of Service.
Administrators are also encouraged to review their max_request_size settings and apply listener-level constraints to JSON parsing as part of a defense-in-depth strategy.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
