CVE-2025-4166 MEDIUM

CVE-2025-4166: Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin

Vendor Hashicorp
Product Vault
Weakness CWE-209 · Error message info leak
Published May 2, 2025
Last update May 8, 2025

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Key dates

02Disclosure timeline

May 2, 2025 CVE published
May 8, 2025 Record updated