Timeline
- Oct 23, 2025 CVE Published
**Bulletin ID:** HCSEC-2025-32 **Affected Products / Versions:** Vault Community Edition 1.20.3 to 1.20.4; fixed in 1.21.0. Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27 **Publication Date:** October 23, 2025 **Summary** A fix for a previous security issue impacting HashiCorp Vault ([HCSEC-2025-24](https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393) / CVE-2025-6203) was incomplete, and did not fully address the vulnerability. The fix was corrected in Vault versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27. The CVE advisory and security bulletin have been updated to reflect the correct fixed versions. **Background** On August 28, HashiCorp published HCSEC-2025-24, describing a denial of service vulnerability with Vault. After the publication, HashiCorp was notified that the JSON complexity check designed to prevent the denial of service issue could be bypassed with a different specially-crafted complex payload. **Details** The logic introduced as part of HCSEC-2025-24 has been corrected, and the corresponding bulletin and CVE have been updated to reflect the correct fixed versions. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. Please refer to [Upgrading Vault](https://developer.hashicorp.com/vault/docs/upgrading) for general guidance. **Acknowledgement** This issue was identified by Darrell Bethea, Ph.D. of Indeed. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*