CVE-2025-6203 – CVE-2025-6203 is a denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-6203?

CVE-2025-6203 has a CVSS score of 7.5 (HIGH). CVE-2025-6203 is a denial-of-service vulnerability in HashiCorp Vault where specially crafted JSON payloads can cause excessive memory and CPU consumption, potentially making the Vault server unresponsive. This affects Vault Community and Enterprise editions. Attackers can exploit this by sending complex payloads that meet default request size limits but trigger resource exhaustion.

📋 TL;DR

CVE-2025-6203 is a denial-of-service vulnerability in HashiCorp Vault where specially crafted JSON payloads can cause excessive memory and CPU consumption, potentially making the Vault server unresponsive. This affects Vault Community and Enterprise editions. Attackers can exploit this by sending complex payloads that meet default request size limits but trigger resource exhaustion.

💻 Affected Systems

Products:

HashiCorp Vault Community Edition
HashiCorp Vault Enterprise

Versions: All versions before Vault Community Edition 1.20.3, Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Default request size limits do not prevent this attack as payloads can be crafted to stay within limits while still causing resource exhaustion.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Vault service outage, preventing access to secrets and credentials, disrupting dependent applications and infrastructure.

🟠

Likely Case

Temporary service degradation or unresponsiveness during attack, causing timeouts for legitimate requests and audit failures.

🟢

If Mitigated

Minimal impact with proper request filtering and resource limits in place.

🌐 Internet-Facing: HIGH - Internet-facing Vault instances are directly accessible to attackers who can send malicious payloads.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires sending specially crafted JSON payloads but does not require authentication. The technique is straightforward for attackers familiar with DoS techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vault Community Edition 1.20.3, Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393

Restart Required: Yes

Instructions:

1. Download the patched version from HashiCorp releases. 2. Stop the Vault service. 3. Backup configuration and data. 4. Install the patched version. 5. Restart the Vault service. 6. Verify service is running correctly.

🔧 Temporary Workarounds

Implement request filtering at load balancer

all

Configure load balancers or WAFs to filter or limit complex JSON payloads before they reach Vault.

Reduce request size limits

all

Lower maximum request size limits below default to reduce attack surface.

vault server -config=config.hcl (with reduced max_request_size)

🧯 If You Can't Patch

Implement network segmentation to restrict access to Vault only from trusted sources.
Deploy rate limiting and request validation at the network perimeter to block suspicious payload patterns.

🔍 How to Verify

Check if Vulnerable:

Check Vault version with 'vault version' command and compare against affected versions.

Check Version:

vault version

Verify Fix Applied:

Verify version is 1.20.3 or higher for Community, or 1.20.3/1.19.9/1.18.14/1.16.25 or higher for Enterprise.

📡 Detection & Monitoring

Log Indicators:

High memory/CPU usage spikes
Audit log timeouts
Request processing delays
Error messages related to resource exhaustion

Network Indicators:

Unusually large or complex JSON payloads to Vault endpoints
Multiple similar requests in short timeframes

SIEM Query:

source="vault" AND ("timeout" OR "memory" OR "cpu" OR "unresponsive")

📊 Metadata

CVE ID: CVE-2025-6203

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: August 28, 2025

Last Updated: December 18, 2025

🔗 References

https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6203, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

Vault by Hashicorp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement request filtering at load balancer

Reduce request size limits

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities