Fluid Attacks Database

Description

Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/hashicorp/vault	>=0.3.0 <1.19.3	1.19.3

Aliases

1. CVE-2025-41662. NVD-2025-41663. OSV-2025-41664. GCVE-2025-4166

References

1. https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin2. https://pkg.go.dev/vuln/GO-2025-3663