High severityNVD Advisory· Published Aug 28, 2025· Updated Oct 23, 2025
Vault unauthenticated denial of service through complex json payload
CVE-2025-6203
Description
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/hashicorp/vaultGo | < 1.20.3 | 1.20.3 |
Affected products
25- osv-coords23 versionspkg:apk/chainguard/splunk-otel-collectorpkg:apk/chainguard/splunk-otel-collector-compatpkg:apk/chainguard/splunk-otel-collector-docpkg:apk/chainguard/splunk-otel-collector-fipspkg:apk/chainguard/splunk-otel-collector-migratecheckpointpkg:apk/chainguard/splunk-otel-collector-migratecheckpoint-compatpkg:apk/chainguard/vault-1.16-compatpkg:apk/chainguard/vault-1.17-compatpkg:apk/chainguard/vault-1.18-compatpkg:apk/chainguard/vault-1.19-compatpkg:apk/chainguard/vault-1.20pkg:apk/chainguard/vault-fips-1.19-compatpkg:apk/wolfi/splunk-otel-collectorpkg:apk/wolfi/splunk-otel-collector-compatpkg:apk/wolfi/splunk-otel-collector-docpkg:apk/wolfi/splunk-otel-collector-migratecheckpointpkg:apk/wolfi/splunk-otel-collector-migratecheckpoint-compatpkg:bitnami/vaultpkg:golang/github.com/hashicorp/vaultpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/openbao&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 0.132.0-r2+ 22 more
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r1
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 1.16.3-r26
- (no CPE)range: < 1.17.6-r18
- (no CPE)range: < 1.18.5-r15
- (no CPE)range: < 1.19.5-r5
- (no CPE)range: < 1.20.4-r2
- (no CPE)range: < 1.19.5-r8
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: < 0.132.0-r2
- (no CPE)range: >= 1.15.0, < 1.20.3
- (no CPE)range: < 1.20.3
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- (no CPE)range: < 0.0.20250908T141310-1.1
- (no CPE)range: < 2.4.1-1.1
- (no CPE)range: < 0.0.20250918T182144-150000.1.107.1
- Range: 1.15.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-8f82-53h8-2p34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6203ghsaADVISORY
- discuss.hashicorp.comghsaWEB
- discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393ghsaWEB
- github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab89ghsaWEB
News mentions
0No linked articles in our index yet.