CVE-2025-6203 HIGH

CVE-2025-6203: Vault unauthenticated denial of service through complex json payload

Vendor Hashicorp
Product Vault
Weakness CWE-770 · Uncontrolled resource consumption
Published August 28, 2025
Last update October 23, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Key dates

02Disclosure timeline

August 28, 2025 CVE published
October 23, 2025 Record updated