-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability, CVE-2025-6203, is a denial-of-service in HashiCorp Vault caused by the unbounded parsing of complex JSON payloads. An attacker could send a specially crafted JSON request that, while respecting the overall request size limit, would cause excessive CPU and memory consumption during parsing, leading to a server crash.
The analysis of the patch commit eedc2b7426f30e57e306229ce697ce81e203ab89 reveals that the vulnerability was due to a lack of specific limits on the structure of JSON payloads. The fix involves introducing several new configurable limits:
max_json_depth: Maximum nesting depth of a JSON object.max_json_string_value_length: Maximum length of a string value in a JSON payload.max_json_object_entry_count: Maximum number of key-value pairs in a JSON object.max_json_array_element_count: Maximum number of elements in a JSON array.The core of the fix is the new function VerifyMaxDepthStreaming in sdk/helper/jsonutil/json.go, which scans the JSON stream and enforces these limits before the full decoding takes place.
The identified vulnerable functions are key components in the request processing pipeline that were involved in handling the JSON payload before the new validation was implemented:
github.com/hashicorp/vault/http.wrapMaxRequestSizeHandler.func1: This HTTP middleware was the first line of defense, but it only checked the total request size, which was insufficient to prevent this attack.
github.com/hashicorp/vault/http.buildLogicalRequestNoAuth: This function is responsible for processing the request and initiating the JSON decoding. It was directly exposed to the malicious payload.
github.com/hashicorp/vault/sdk/helper/jsonutil.DecodeJSONFromReader: This function performs the actual JSON decoding using the standard library, and it's where the resource exhaustion would occur.
During an exploit on a vulnerable version, a runtime profiler would show a significant amount of time being spent in these functions, particularly in DecodeJSONFromReader and the underlying encoding/json library calls, as the server struggles to parse the complex JSON structure.
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/hashicorp/vault | go | < 1.20.3 | 1.20.3 |
Ongoing coverage of React2Shell