CVE-2025-6203 — Allocation of Resources Without Limits or Throttling in Vault Enterprise

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption7 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 82.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Vault Enterprise Github.com Hashicorp Vault Github.com Openbao Openbao +1 more

Timeline

PublishedAug 28

Latest updateOct 17

Description

A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/vault_enterprise1.15.0 — 1.21.2

▶NVDhashicorp/vault1.15.0 — 1.16.27+4

▶Gogithub.com/hashicorp_vault< 1.20.3

▶Gogithub.com/openbao_openbao< 2.4.1

🔴Vulnerability Details

OSV

OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests↗2025-10-17

▶

GHSA

OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests↗2025-10-17

▶

OSV

HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault↗2025-09-08

▶

OSV

HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads↗2025-08-28

▶

GHSA

HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads↗2025-08-28

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/vault: Vault unauthenticated denial of service↗2025-08-28

▶