Server Crash Vulnerability in HashiCorp Vault Lets Attackers Wreak Havoc
Vulnerability Discovered in HashiCorp Vault: CVE-2025-6203
HashiCorp has addressed a Denial-of-Service vulnerability (CVE-2025-6203) in its Vault platform, following responsible disclosure by Darrell Bethea, Ph.D., of Indeed. The vulnerability was published on August 28, 2025.
The flaw allows malicious actors to overwhelm servers with specially crafted JSON payloads, leading to excessive resource consumption. As the JSON parser recurses through long string values or high object entry counts, memory consumption spikes, triggering timeouts and causing the Vault server to become unresponsive.
To mitigate this issue, operators are urged to upgrade to Vault 1.20.3 (Community and Enterprise), 1.19.9, 1.18.14, or 1.16.25. These patched versions include built-in limits on JSON payload complexity to prevent excessive recursion.
The vulnerability affects both the Vault Community and Enterprise editions from version 1.15.0 up to several patched releases. In addition to the upgrades, HashiCorp has introduced new listener configuration options to harden Vault against abusive JSON payloads. Operators can now configure the maximum length for string values, maximum nesting depth for JSON objects, maximum elements in a JSON array, and maximum number of key/value pairs in an object.
Moreover, the TCP listener may now be configured to limit the size and complexity of incoming JSON payloads. Operators can review their max_request_size settings and apply listener-level constraints to JSON parsing as part of a defense-in-depth strategy.
HashiCorp acknowledges Darrell Bethea for his responsible reporting and the diligent work of its security team in addressing this issue promptly. Detailed guidance can be found in the API documentation for listener parameters and the Vault upgrade guide.
In conclusion, upgrading to the recommended versions and implementing the new listener configuration options will help operators secure their Vault instances against the CVE-2025-6203 vulnerability.
