VDB

CVE-2025-59043

CVE-2025-59043 PUBLISHED CVSS 7.5 HIGH

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.

EPSS 0.16% · 36.8th percentile

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.16%
36.8th percentile

Affected Products

VendorProductVersions
github.comopenbao/openbao0
openbaoopenbao< 2.4.1, 0

Exploit Intelligence

Timeline

  • Jan 21, 1970 Security Advisory
  • Oct 17, 2025 CVE Published
  • Oct 17, 2025 Coalition ESS Score
  • Oct 18, 2025 EPSS Score
  • Oct 24, 2025 EPSS Score
  • Oct 30, 2025 EPSS Score
  • Nov 5, 2025 EPSS Score
  • Nov 11, 2025 EPSS Score
  • Nov 17, 2025 EPSS Score
  • Nov 23, 2025 EPSS Score
  • Nov 29, 2025 EPSS Score
  • Dec 1, 2025 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›