Bulletin ID: HCSEC-2025-32
Affected Products / Versions: Vault Community Edition 1.20.3 to 1.20.4; fixed in 1.21.0.
Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27
Publication Date: October 23, 2025
Summary
A fix for a previous security issue impacting HashiCorp Vault (HCSEC-2025-24 / CVE-2025-6203) was incomplete, and did not fully address the vulnerability. The fix was corrected in Vault versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27. The CVE advisory and security bulletin have been updated to reflect the correct fixed versions.
Background
On August 28, HashiCorp published HCSEC-2025-24, describing a denial of service vulnerability with Vault. After the publication, HashiCorp was notified that the JSON complexity check designed to prevent the denial of service issue could be bypassed with a different specially-crafted complex payload.
Details
The logic introduced as part of HCSEC-2025-24 has been corrected, and the corresponding bulletin and CVE have been updated to reflect the correct fixed versions.
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Please refer to Upgrading Vault for general guidance.
Acknowledgement
This issue was identified by Darrell Bethea, Ph.D. of Indeed.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.