A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sun, 31 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 29 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 29 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 28 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 Aug 2025 21:45:00 +0000


Thu, 28 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
Description A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
Title Vault unauthenticated denial of service through complex json payload
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2025-08-29T13:36:52.434Z

Reserved: 2025-06-17T13:39:36.506Z

Link: CVE-2025-6203

cve-icon Vulnrichment

Updated: 2025-08-29T13:36:49.616Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-28T20:15:43.817

Modified: 2025-08-29T16:24:29.730

Link: CVE-2025-6203

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-28T19:36:09Z

Links: CVE-2025-6203 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-31T08:41:43Z