A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
History

Sun, 31 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp vault
Hashicorp vault Enterprise
Vendors & Products Hashicorp
Hashicorp vault
Hashicorp vault Enterprise

Fri, 29 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 29 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 28 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 Aug 2025 21:45:00 +0000


Thu, 28 Aug 2025 19:45:00 +0000

Type Values Removed Values Added
Description A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
Title Vault unauthenticated denial of service through complex json payload
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2025-08-29T13:36:52.434Z

Reserved: 2025-06-17T13:39:36.506Z

Link: CVE-2025-6203

cve-icon Vulnrichment

Updated: 2025-08-29T13:36:49.616Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-08-28T20:15:43.817

Modified: 2025-08-29T16:24:29.730

Link: CVE-2025-6203

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-28T19:36:09Z

Links: CVE-2025-6203 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-08-31T08:41:43Z