Bulletin ID: HCSEC-2025-09
Affected Products / Versions:
Vault Community Edition from 0.3.0 up to 1.19.2, fixed in 1.19.3.
Vault Enterprise from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15, 1.16.19, fixed in 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Publication Date: May 2, 2024
Summary
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Background
The kv secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault. This secrets engine can run in one of two modes; store a single value for a key, or store a number of versions for each key and maintain the record of them. More information can be found at, https://developer.hashicorp.com/vault/docs/secrets/kv
Details
When creating or updating secrets using the KV v2 plugin through the REST API, Vault inadvertently logged the value of the secret when an error occurred in the server logs and audit logs. The inadvertent logging only affected operations if a payload was sent incorrectly, such as improperly formatted JSON. Normal operations through the UI or CLI are unaffected.
Remediation
Customers with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching. More information on viewing audit and server logs can be found at, Troubleshoot Vault | Vault | HashiCorp Developer
Audit Log
{"auth":{"token_type":"default"},"error":"error converting input <sensitive data> for field \"data\": '' expected a map, got 'string'","request":{"client_token":"","client_token_accessor":"","data":{"data":""},"id":"","":"","mount_class":"secret","mount_point":"kv/","mount_type":"kv","mount_running_version":"","namespace":{""},"operation":"update","path":"","remote_address":"","remote_port":},"time":"","type":"request"}
Server Log
[ERROR] core: failed to run existence check: error="error converting input <secret data> for field \"data\": '' expected a map, got 'string'"
If any matches are found, rotating the affected secret is advised.
Customers should evaluate the risk associated with this issue and consider upgrading to Vault 1.19.3, 1.18.9, 1.17.16, 1.16.20, or newer. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by the Vault engineering team.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.