HashiCorp Vault Vulnerability Allows Attackers to Cause Server Crashes

A critical denial-of-service vulnerability, tracked as CVE-2025-6203, has been identified in HashiCorp Vault, potentially allowing malicious actors to overwhelm servers with specially crafted JSON payloads. This flaw affects both Vault Community and Enterprise editions from version 1.15.0 up to several patched releases, rendering Vault instances unresponsive due to excessive resource consumption. Published on August 28, 2025, the vulnerability exploits the audit devices responsible for logging request interactions. By submitting deeply nested JSON structures or excessive entries that meet the default max_request_size limit of 32 MiB, attackers can force extreme CPU and memory usage, leading to timeouts and server unresponsiveness. Operators are strongly urged to upgrade to Vault versions 1.20.3 (Community and Enterprise), 1.19.9, 1.18.14, or 1.16.25 to mitigate this issue.

To further enhance security, HashiCorp has introduced new listener configuration options that allow operators to set limits on JSON payload complexity. These options include max_json_depth, max_json_string_value_length, max_json_object_entry_count, and max_json_array_element_count. Administrators are encouraged to review their max_request_size settings and implement listener-level constraints as part of a comprehensive defence strategy. The CVSS 3.1 score for this vulnerability is rated at 7.5, indicating a high risk. HashiCorp acknowledges Darrell Bethea, Ph.D., of Indeed, for responsibly reporting this vulnerability, highlighting the importance of proactive security measures in safeguarding against potential attacks. 

Categories: Vulnerability, Denial of Service, Mitigation Strategies 

Tags: HashiCorp, Vault, Vulnerability, Denial-of-Service, JSON, Upgrade, Resource Consumption, Audit Devices, Mitigation, CVE-2025-6203