x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-g46h-2rq9-gw5m #4039
Description
Advisory GHSA-g46h-2rq9-gw5m references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/openbao/openbao |
Description:
Summary
JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage (similar to a zip bomb). While reproducing the issue, we could reach a factor of about 35. This can be used to circumvent the [max_request_size (https://openbao.org/docs/configuration/listener/tcp/) configuration parameter, which is meant to protect against Denial of Service attacks, and also makes Denial of Service attacks easier in general, as the attacker needs much less resources.
...
References:
- ADVISORY: GHSA-g46h-2rq9-gw5m
- ADVISORY: GHSA-g46h-2rq9-gw5m
- WEB: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
- WEB: https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50
- WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-6203
Cross references:
- github.com/openbao/openbao appears in 8 other report(s):
- data/reports/GO-2025-3783.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao/api/v2: GHSA-prpj-rchp-9j5h #3783)
- data/reports/GO-2025-3853.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-f7c3-mhj2-9pvg #3853)
- data/reports/GO-2025-3854.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-hh28-h22f-8357 #3854)
- data/reports/GO-2025-3855.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-j3xv-7fxp-gfhx #3855)
- data/reports/GO-2025-3856.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-rxp7-9q75-vj3p #3856)
- data/reports/GO-2025-3857.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-vf84-mxrq-crqc #3857)
- data/reports/GO-2025-3858.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-xp75-r577-cvhp #3858)
- data/reports/GO-2025-3859.yaml (x/vulndb: potential Go vuln in github.com/openbao/openbao: GHSA-2q8q-8fgw-9p6p #3859)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/openbao/openbao
non_go_versions:
- introduced: TODO (earliest fixed "2.4.1", vuln range "<= 2.4.0")
vulnerable_at: 0.0.0-20251017170207-af9a9156024b
summary: |-
OpenBao has potential Denial of Service vulnerability when processing malicious
unauthenticated JSON requests in github.com/openbao/openbao
cves:
- CVE-2025-59043
ghsas:
- GHSA-g46h-2rq9-gw5m
references:
- advisory: https://github.com/advisories/GHSA-g46h-2rq9-gw5m
- advisory: https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m
- web: https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
- web: https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50
- web: https://nvd.nist.gov/vuln/detail/CVE-2025-6203
source:
id: GHSA-g46h-2rq9-gw5m
created: 2025-10-17T18:01:23.995970666Z
review_status: UNREVIEWED