CVE-2025-59043

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50	Product
https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c	Patch
https://github.com/openbao/openbao/pull/1756	Issue Tracking
https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-10-17 16:15

Updated : 2025-10-24 17:13

NVD link : CVE-2025-59043

Mitre link : CVE-2025-59043

CVE.ORG link : CVE-2025-59043

JSON object : View

Products Affected

openbao

openbao

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2025-59043", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-10-17T16:15:38.763", "references": [{"url": "https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/pull/1756", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1."}], "lastModified": "2025-10-24T17:13:10.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "542C558D-BFC0-4CC6-B683-74E4DFB31A30", "versionEndExcluding": "2.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}