The Hackingpost - © Copyright The Hackingpost. All Rights Reserved.

Wednesday, September 3
Header Banner
HomeCloudHashiCorp Vault Vulnerability Let Attackers to Crash Servers
CloudCyberCybersecurityEventNetworkNewsSecurity

HashiCorp Vault Vulnerability Let Attackers to Crash Servers

William Hayes
September 2, 2025
0
3

Cybersecurity

A critical vulnerability has been identified in HashiCorp Vault, which could lead to a denial-of-service condition. This issue can be exploited by sending specially crafted JSON payloads, causing excessive resource consumption and rendering Vault instances unresponsive.

Technical Details

The vulnerability, tracked as CVE-2025-6203 and disclosed on Thu, Aug 28, 2025, affects both Vault Community and Enterprise editions from version 1.15.0 to several subsequent versions. Users are advised to upgrade to the following versions to mitigate the issue:

  • Vault Community Edition 1.20.3
  • Vault Enterprise Edition 1.20.3, 1.19.9, 1.18.14, 1.16.25

Memory-Based DoS Vulnerability

The vulnerability affects Vault’s audit logging mechanisms. An attacker can submit a payload that meets the default max_request_size limit (32 MiB by default), but utilizes deeply nested JSON structures to increase CPU and memory usage, causing the server to become unresponsive.

HashiCorp has introduced listener configuration options to mitigate these risks, including:

  • max_json_depth: Defines the maximum nesting depth for JSON objects.
  • max_json_string_value_length: Specifies the maximum length for string values.
  • max_json_object_entry_count: Limits the number of key/value pairs in an object.
  • max_json_array_element_count: Controls the maximum number of elements in a JSON array.

Operators can refer to the API documentation for additional guidance on configuring these parameters.

Mitigations

To address CVE-2025-6203, it is recommended to upgrade to one of the patched versions mentioned above. This update implements built-in limits on JSON payload complexity, preventing denial-of-service conditions caused by excessive recursion.

Administrators are encouraged to review their max_request_size settings and apply listener-level constraints on JSON parsing as part of a comprehensive defense strategy.

HashiCorp has acknowledged Darrell Bethea, Ph.D., of Indeed, for responsibly disclosing this vulnerability.

TagsCloudCyberCybersecurityEUEventGoogleNewsSecurityTrainUS
Previous Article

MobSF Security Testing Tool Vulnerability Let Attackers Upload Malicious Files

Next Article

13 New Unicorns for July 2025

Comments are closed.

More News

© Copyright The Hackingpost. All rights reserved.