cbcvebase.
CVE-2025-4166
published 2025-05-02

CVE-2025-4166: Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users…

PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.34%
25.3th percentile
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Affected

16 ranges
VendorProductVersion rangeFixed in
github.comhashicorp_vault>= 0.3.0 < 1.19.31.19.3
github.comopenbao_openbao_sdk_v2>= 0 < 2.3.02.3.0
hashicorpvault>= 0.3.0 < 1.16.201.16.20
hashicorpvault>= 0.3.0 < 1.19.31.19.3
hashicorpvault>= 1.17.0 < 1.17.161.17.16
hashicorpvault>= 1.18.0 < 1.18.91.18.9
hashicorpvault>= 1.19.0 < 1.19.31.19.3
msrccbl2_vim_8.2.4081-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_vim_8.2.4006-1_on_cbl_mariner_1.0
openbaoopenbao< 2.3.02.3.0
openbaoopenbao< 2.2.22.2.2
openbaoopenbao< 2.3.02.3.0

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_msrc7.1HIGH
vendor_redhat4.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.