CVE-2025-59043Uncontrolled Resource Consumption in Openbao Openbao

CWE-400Uncontrolled Resource Consumption4 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 59.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Openbao OpenbaoOpenbao
Timeline
PublishedOct 17
Latest updateOct 30

Description

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against de

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDopenbao/openbao< 2.4.1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests in github.com/openbao/openbao2025-10-30
OSV
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests2025-10-17
GHSA
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests2025-10-17