VDB
CVE-2025-4166
CVE-2025-4166
PUBLISHED
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
EPSS 0.15% · 34.8th percentile
Risk Scores
EPSS Score
0.15%
34.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | vault | 0.3.0 |
| Bitnami | vault | 0.3.0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-4166 (circl-sighting)
- CIRCL seen: CVE-2025-4166 (circl-sighting)
- CIRCL seen: CVE-2025-4166 (circl-sighting)
- CIRCL seen: CVE-2025-4166 (circl-sighting)
- https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin (circl)
Timeline
- May 2, 2025 CVE Published
- May 2, 2025 PoC Published
- May 2, 2025 PoC Published
- May 2, 2025 PoC Published
- May 3, 2025 EPSS Score
- May 6, 2025 CVE Updated
- May 15, 2025 EPSS Score
- May 27, 2025 EPSS Score
- Jun 7, 2025 EPSS Score
- Jun 13, 2025 Coalition ESS Score
- Jun 19, 2025 EPSS Score
- Jun 25, 2025 PoC Published