VDB

HCSEC-2025-24

HCSEC-2025-24 PUBLISHED

**Bulletin ID:** HCSEC-2025-24 **Affected Products / Versions:** Vault Community Edition from 1.15.0 up to 1.20.4, fixed in 1.21.0. Vault Enterprise from 1.15.0 up to 1.20.4, 1.19.10, 1.18.15, and 1.16.26, fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27 **Publication Date:** August 28, 2025 **Summary** A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. **Background** Vault’s [audit devices](https://developer.hashicorp.com/vault/docs/audit) keep a detail of every request to Vault log every interaction, and a request does not complete until the audit operation is completed. Vault enforces a [max_request_size](https://developer.hashicorp.com/vault/docs/internals/limits#request-size) (32MiB by default) which can be further configured by operators. **Details** In addition to [max_request_size](https://developer.hashicorp.com/vault/docs/internals/limits#request-size), Vault now enforces and provides new listener options to set limits on JSON request payloads : `max_json_depth, max_json_string_value_length, max_json_object_entry_count, and max_json_array_element_count`. More information about these listener configuration options can be found in the [API documentation](https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tcp-listener-parameters) and upgrade guide. **Remediation** Customers should evaluate the risk associated with these issues and consider upgrading to Vault Community Edition 1.20.3 or Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by Darrell Bethea, Ph.D. of Indeed who reported it to HashiCorp. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Aug 28, 2025 CVE Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›