x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-8f82-53h8-2p34

Advisory [GHSA-8f82-53h8-2p34](https://github.com/advisories/GHSA-8f82-53h8-2p34) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/hashicorp/vault](https://pkg.go.dev/github.com/hashicorp/vault) |

Description:
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

References:
- ADVISORY: https://github.com/advisories/GHSA-8f82-53h8-2p34
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-6203
- FIX: https://github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab89
- WEB: https://discuss.hashicorp.com
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393

Cross references:
- github.com/hashicorp/vault appears in 48 other report(s):
  - data/reports/GO-2022-0578.yaml    (https://github.com/golang/vulndb/issues/578)
  - data/reports/GO-2022-0590.yaml    (https://github.com/golang/vulndb/issues/590)
  - data/reports/GO-2022-0611.yaml    (https://github.com/golang/vulndb/issues/611)
  - data/reports/GO-2022-0618.yaml    (https://github.com/golang/vulndb/issues/618)
  - data/reports/GO-2022-0620.yaml    (https://github.com/golang/vulndb/issues/620)
  - data/reports/GO-2022-0623.yaml    (https://github.com/golang/vulndb/issues/623)
  - data/reports/GO-2022-0632.yaml    (https://github.com/golang/vulndb/issues/632)
  - data/reports/GO-2022-0778.yaml    (https://github.com/golang/vulndb/issues/778)
  - data/reports/GO-2022-0816.yaml    (https://github.com/golang/vulndb/issues/816)
  - data/reports/GO-2022-0825.yaml    (https://github.com/golang/vulndb/issues/825)
  - data/reports/GO-2022-1021.yaml    (https://github.com/golang/vulndb/issues/1021)
  - data/reports/GO-2023-1685.yaml    (https://github.com/golang/vulndb/issues/1685)
  - data/reports/GO-2023-1708.yaml    (https://github.com/golang/vulndb/issues/1708)
  - data/reports/GO-2023-1709.yaml    (https://github.com/golang/vulndb/issues/1709)
  - data/reports/GO-2023-1849.yaml    (https://github.com/golang/vulndb/issues/1849)
  - data/reports/GO-2023-1897.yaml    (https://github.com/golang/vulndb/issues/1897)
  - data/reports/GO-2023-1900.yaml    (https://github.com/golang/vulndb/issues/1900)
  - data/reports/GO-2023-1986.yaml    (https://github.com/golang/vulndb/issues/1986)
  - data/reports/GO-2023-2063.yaml    (https://github.com/golang/vulndb/issues/2063)
  - data/reports/GO-2023-2088.yaml    (https://github.com/golang/vulndb/issues/2088)
  - data/reports/GO-2023-2329.yaml    (https://github.com/golang/vulndb/issues/2329)
  - data/reports/GO-2023-2399.yaml    (https://github.com/golang/vulndb/issues/2399)
  - data/reports/GO-2024-2485.yaml    (https://github.com/golang/vulndb/issues/2485)
  - data/reports/GO-2024-2486.yaml    (https://github.com/golang/vulndb/issues/2486)
  - data/reports/GO-2024-2488.yaml    (https://github.com/golang/vulndb/issues/2488)
  - data/reports/GO-2024-2508.yaml    (https://github.com/golang/vulndb/issues/2508)
  - data/reports/GO-2024-2509.yaml    (https://github.com/golang/vulndb/issues/2509)
  - data/reports/GO-2024-2511.yaml    (https://github.com/golang/vulndb/issues/2511)
  - data/reports/GO-2024-2514.yaml    (https://github.com/golang/vulndb/issues/2514)
  - data/reports/GO-2024-2617.yaml    (https://github.com/golang/vulndb/issues/2617)
  - data/reports/GO-2024-2690.yaml    (https://github.com/golang/vulndb/issues/2690)
  - data/reports/GO-2024-2921.yaml    (https://github.com/golang/vulndb/issues/2921)
  - data/reports/GO-2024-2982.yaml    (https://github.com/golang/vulndb/issues/2982)
  - data/reports/GO-2024-3113.yaml    (https://github.com/golang/vulndb/issues/3113)
  - data/reports/GO-2024-3162.yaml    (https://github.com/golang/vulndb/issues/3162)
  - data/reports/GO-2024-3191.yaml    (https://github.com/golang/vulndb/issues/3191)
  - data/reports/GO-2024-3246.yaml    (https://github.com/golang/vulndb/issues/3246)
  - data/reports/GO-2025-3662.yaml    (https://github.com/golang/vulndb/issues/3662)
  - data/reports/GO-2025-3663.yaml    (https://github.com/golang/vulndb/issues/3663)
  - data/reports/GO-2025-3788.yaml    (https://github.com/golang/vulndb/issues/3788)
  - data/reports/GO-2025-3836.yaml    (https://github.com/golang/vulndb/issues/3836)
  - data/reports/GO-2025-3837.yaml    (https://github.com/golang/vulndb/issues/3837)
  - data/reports/GO-2025-3838.yaml    (https://github.com/golang/vulndb/issues/3838)
  - data/reports/GO-2025-3839.yaml    (https://github.com/golang/vulndb/issues/3839)
  - data/reports/GO-2025-3840.yaml    (https://github.com/golang/vulndb/issues/3840)
  - data/reports/GO-2025-3841.yaml    (https://github.com/golang/vulndb/issues/3841)
  - data/reports/GO-2025-3842.yaml    (https://github.com/golang/vulndb/issues/3842)
  - data/reports/GO-2025-3848.yaml    (https://github.com/golang/vulndb/issues/3848)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - fixed: 1.20.3
      vulnerable_at: 1.20.2
summary: HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads in github.com/hashicorp/vault
cves:
    - CVE-2025-6203
ghsas:
    - GHSA-8f82-53h8-2p34
references:
    - advisory: https://github.com/advisories/GHSA-8f82-53h8-2p34
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6203
    - fix: https://github.com/hashicorp/vault/commit/eedc2b7426f30e57e306229ce697ce81e203ab89
    - web: https://discuss.hashicorp.com
    - web: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
source:
    id: GHSA-8f82-53h8-2p34
    created: 2025-08-29T17:01:12.248369216Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-8f82-53h8-2p34 #3924

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-8f82-53h8-2p34 #3924

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions