7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59043

GHSA ID

GHSA-g46h-2rq9-gw5m

EPSS Score

CWE

CWE-400

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59043

CVE-2025-59043: OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests

Summary

JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage (similar to a zip bomb). While reproducing the issue, we could reach a factor of about 35. This can be used to circumvent the [max_request_size (https://openbao.org/docs/configuration/listener/tcp/) configuration parameter, which is meant to protect against Denial of Service attacks, and also makes Denial of Service attacks easier in general, as the attacker needs much less resources.

Details

The request body is parsed into a map[string]interface{} https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50 very early in the request handling chain (before authentication), which means an attacker can send a specifically crafted JSON object and cause an OOM crash. Additionally, for simpler requests with large numbers of strings, the audit subsystem can consume large quantities of CPU.

To remediate, set max_request_json_memory and max_request_json_strings.

Impact

Unauthenticated Denial of Service

Resources

This issue was disclosed directly to HashiCorp and is the OpenBao equivalent of the following tickets:

https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
https://nvd.nist.gov/vuln/detail/CVE-2025-6203

HashiCorp attributes the problem to the audit subsystem. For OpenBao, it was noted the problem was additionally in the requests handling logic.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59043

GHSA ID

GHSA-g46h-2rq9-gw5m

EPSS Score

CWE

CWE-400

Published

10/17/2025

Updated

10/17/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/openbao/openbao	go	<= 2.4.0	2.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the uncontrolled resource consumption when parsing JSON request bodies in OpenBao. An unauthenticated attacker could send a specially crafted JSON payload that, while small in size, would consume a large amount of memory when deserialized, leading to a Denial of Service. This is akin to a "zip bomb" but for JSON.

The analysis of the patches between the vulnerable version 2.4.0 and the patched version 2.4.1 reveals the exact functions involved. The initial fix in commit e06c48df5dc1da5617258cd0ef5cfdfc7de12b16 introduced a limit on the number of JSON tokens in the http.parseJSONRequest function. This was later refined in commit 21939c1c4b352e91725635085bb3fb4e4e42e9c0 to more accurately estimate memory usage and limit the number of strings by introducing a new function, http.NewSafeJSONReader.

The core of the vulnerability is in http.parseJSONRequest, which, prior to the patches, performed no validation on the complexity of the incoming JSON. The function http.LogicalRequest is the HTTP handler that calls parseJSONRequest for unauthenticated requests, making it the entry point for the attack. Therefore, both functions would likely appear in a runtime profile during exploitation. The function http.NewSafeJSONReader is the mitigation itself, containing the logic to prevent the excessive resource consumption.

Vulnerable functions

http.parseJSONRequest

http/handler.go

This function is responsible for parsing the JSON request body. Before the patch, it lacked checks to prevent the processing of overly complex JSON structures that could lead to excessive memory allocation (a "JSON bomb"), causing a denial of service. The vulnerability is triggered when this function attempts to decode a malicious JSON payload from an unauthenticated user.

http.LogicalRequest

http/logical.go

This function is an HTTP handler that receives requests for logical backends. It calls the vulnerable `parseJSONRequest` function to process the request body. As this is a primary entry point for unauthenticated requests to the logical backend, it would appear in a stack trace during the exploitation of this vulnerability.

http.NewSafeJSONReader

http/json.go

This function was introduced as part of the mitigation. It wraps the request body reader and inspects the JSON tokens to enforce limits on memory and string counts. While not vulnerable itself, it's a key part of the fix and directly addresses the underlying weakness in the original `parseJSONRequest` function. It is included here as it is a security control function modified to mitigate the vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry JSON o*j**ts **t*r ***o*in* mi**t us* mor* m*mory t**n t**ir s*ri*liz** v*rsion. It is possi*l* to tun* * JSON to m*ximiz* t** ***tor **tw**n s*ri*liz** m*mory us*** *n* **s*ri*liz** m*mory us*** (simil*r to * zip *om*). W*il* r*pro*u*in

Reasoning

T** vuln*r**ility li*s in t** un*ontroll** r*sour** *onsumption w**n p*rsin* JSON r*qu*st *o*i*s in Op*n**o. *n un*ut**nti**t** *tt**k*r *oul* s*n* * sp**i*lly *r**t** JSON p*ylo** t**t, w*il* sm*ll in siz*, woul* *onsum* * l*r** *mount o* m*mory w**

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-59043: OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests

Summary

Details

Impact

Resources

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI