Bulletin ID: HCSEC-2025-24
Affected Products / Versions: Vault Community and Vault Enterprise 1.15.0 up to 1.20.2, 1.19.8, 1.18.13, and 1.16.24; fixed in Vault 1.20.3, 1.19.9, 1.18.14, 1.16.25
Publication Date: August 28, 2025
Summary
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
Background
Vault’s audit devices keep a detail of every request to Vault log every interaction, and a request does not complete until the audit operation is completed.
Vault enforces a max_request_size (32MiB by default) which can be further configured by operators.
Details
In addition to max_request_size, Vault now enforces and provides new listener options to set limits on JSON request payloads : max_json_depth, max_json_string_value_length, max_json_object_entry_count, and max_json_array_element_count. More information about these listener configuration options can be found in the API documentation and upgrade guide.
Remediation
Customers should evaluate the risk associated with these issues and consider upgrading to Vault Community Edition 1.20.3 or Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25. Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Darrell Bethea, Ph.D. of Indeed who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.