logo

Database

Asymmetric denial of service In github.com/hashicorp/vault

Description

HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-62032. NVD-2025-62033. OSV-2025-62034. GCVE-2025-6203

References

1. https://github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab892. https://discuss.hashicorp.com3. https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.