CVE-2025-59043 – OpenBao versions before 2.4.1 have a memory exh... (How to Fix)

Q: What is the severity of CVE-2025-59043?

CVE-2025-59043 has a CVSS score of 7.5 (HIGH). OpenBao versions before 2.4.1 have a memory exhaustion vulnerability where specially crafted JSON payloads can cause disproportionate memory consumption during deserialization, similar to a zip bomb. This allows unauthenticated attackers to bypass max_request_size limits and cause denial of service through out-of-memory crashes. All OpenBao deployments using vulnerable versions are affected.

📋 TL;DR

OpenBao versions before 2.4.1 have a memory exhaustion vulnerability where specially crafted JSON payloads can cause disproportionate memory consumption during deserialization, similar to a zip bomb. This allows unauthenticated attackers to bypass max_request_size limits and cause denial of service through out-of-memory crashes. All OpenBao deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

OpenBao

Versions: All versions prior to 2.4.1

Operating Systems: All platforms running OpenBao

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations are vulnerable as the issue occurs before authentication in the request handling chain.

📦 What is this software?

Openbao by Openbao

View all CVEs affecting Openbao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to out-of-memory crashes, potentially affecting all secrets management operations and dependent applications.

🟠

Likely Case

Service degradation or temporary unavailability due to memory exhaustion, impacting authentication and secrets retrieval.

🟢

If Mitigated

Minimal impact if proper rate limiting and request filtering are in place, though memory spikes may still occur.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows any internet-facing instance to be targeted for DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The advisory provides technical details that make exploitation straightforward for attackers familiar with JSON deserialization attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1

Vendor Advisory: https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m

Restart Required: Yes

Instructions:

1. Backup OpenBao configuration and data. 2. Stop OpenBao service. 3. Upgrade to OpenBao 2.4.1 using your package manager or direct download. 4. Restart OpenBao service. 5. Verify service is running and accessible.

🔧 Temporary Workarounds

Rate Limiting and Request Filtering

all

Implement network-level controls to limit request sizes and filter suspicious JSON payloads before they reach OpenBao.

Memory Limits and Monitoring

linux

Configure strict memory limits for OpenBao process and implement aggressive monitoring for memory spikes.

# For systemd: edit /etc/systemd/system/openbao.service
# Add: MemoryMax=2G
# Then: systemctl daemon-reload && systemctl restart openbao

🧯 If You Can't Patch

Implement WAF or reverse proxy with JSON payload inspection and size limits
Isolate OpenBao instances and implement strict network segmentation to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check OpenBao version: if version is less than 2.4.1, the system is vulnerable.

Check Version:

openbao version

Verify Fix Applied:

After patching, verify version is 2.4.1 or higher and test with normal JSON requests to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Memory allocation errors
Process crashes/restarts
Unusually large request sizes in access logs
High CPU usage by audit subsystem

Network Indicators:

Large JSON payloads to OpenBao endpoints
Repeated requests with complex JSON structures

SIEM Query:

source="openbao" AND ("out of memory" OR "panic" OR "request size" > 1000000)

📊 Metadata

CVE ID: CVE-2025-59043

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.13% exploit probability (33th percentile)

Published: October 17, 2025

Last Updated: October 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59043, you might also want to check these: