Miggo Logo
Miggo Vulnerability Database
CVE-2025-6203

CVE-2025-6203: HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-6203
GHSA ID
GHSA-8f82-53h8-2p34
EPSS Score
0.10951%
CWE
CWE-770
Published
8/28/2025
Updated
8/29/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hashicorp/vaultgo< 1.20.31.20.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, CVE-2025-6203, is a denial-of-service in HashiCorp Vault caused by the unbounded parsing of complex JSON payloads. An attacker could send a specially crafted JSON request that, while respecting the overall request size limit, would cause excessive CPU and memory consumption during parsing, leading to a server crash.

The analysis of the patch commit eedc2b7426f30e57e306229ce697ce81e203ab89 reveals that the vulnerability was due to a lack of specific limits on the structure of JSON payloads. The fix involves introducing several new configurable limits:

  • max_json_depth: Maximum nesting depth of a JSON object.
  • max_json_string_value_length: Maximum length of a string value in a JSON payload.
  • max_json_object_entry_count: Maximum number of key-value pairs in a JSON object.
  • max_json_array_element_count: Maximum number of elements in a JSON array.

The core of the fix is the new function VerifyMaxDepthStreaming in sdk/helper/jsonutil/json.go, which scans the JSON stream and enforces these limits before the full decoding takes place.

The identified vulnerable functions are key components in the request processing pipeline that were involved in handling the JSON payload before the new validation was implemented:

  1. github.com/hashicorp/vault/http.wrapMaxRequestSizeHandler.func1: This HTTP middleware was the first line of defense, but it only checked the total request size, which was insufficient to prevent this attack.

  2. github.com/hashicorp/vault/http.buildLogicalRequestNoAuth: This function is responsible for processing the request and initiating the JSON decoding. It was directly exposed to the malicious payload.

  3. github.com/hashicorp/vault/sdk/helper/jsonutil.DecodeJSONFromReader: This function performs the actual JSON decoding using the standard library, and it's where the resource exhaustion would occur.

During an exploit on a vulnerable version, a runtime profiler would show a significant amount of time being spent in these functions, particularly in DecodeJSONFromReader and the underlying encoding/json library calls, as the server struggles to parse the complex JSON structure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* m*li*ious us*r m*y su*mit * sp**i*lly-*r**t** *ompl*x p*ylo** t**t ot**rwis* m**ts t** ****ult r*qu*st siz* limit w*i** r*sults in *x**ssiv* m*mory *n* *PU *onsumption o* V*ult. T*is m*y l*** to * tim*out in V*ult’s *u*itin* su*routin*, pot*nti*lly

Reasoning

T** vuln*r**ility, *V*-****-****, is * **ni*l-o*-s*rvi** in **s*i*orp V*ult **us** *y t** un*oun*** p*rsin* o* *ompl*x JSON p*ylo**s. *n *tt**k*r *oul* s*n* * sp**i*lly *r**t** JSON r*qu*st t**t, w*il* r*sp**tin* t** ov*r*ll r*qu*st siz* limit, woul*