Ddos 
HashiCorp has issued a security advisory for a newly disclosed vulnerability in Vault, its widely used secrets management platform. Tracked as CVE-2025-6203 and rated CVSS 7.5 (High), the flaw could allow a malicious user to trigger a Denial-of-Service (DoS) condition by submitting specially crafted JSON payloads.
The issue stems from Vault’s handling of complex JSON requests. According to the advisory, “A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive.”
This means attackers could exploit the flaw to overwhelm Vault instances, potentially disrupting authentication, authorization, and secret delivery processes in enterprise environments.
Vault traditionally enforces a max_request_size of 32 MiB (configurable by operators). However, the vulnerability lies not in overall size but in nested complexity.
To mitigate future risks, HashiCorp has introduced new listener configuration options for administrators to set tighter limits on JSON payloads, including:
- max_json_depth
- max_json_string_value_length
- max_json_object_entry_count
- max_json_array_element_count
These controls give operators more granular defenses against malicious payload structures that could otherwise slip past request size restrictions.
The vulnerability impacts:
- Vault Community and Enterprise editions
- Versions 1.15.0 up to 1.20.2, including 1.19.8, 1.18.13, and 1.16.24
Patched versions are now available:
- Vault 1.20.3 (Community & Enterprise)
- Vault Enterprise 1.19.9, 1.18.14, and 1.16.25
HashiCorp strongly recommends upgrading immediately. The advisory states: “Customers should evaluate the risk associated with these issues and consider upgrading to Vault Community Edition 1.20.3 or Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.”
Additional guidance on safe upgrading procedures is available in the official Vault upgrade documentation.
Donate