HCSEC-2025-32 - Incomplete Fix For Previous Vault DoS Issue

Bulletin ID: HCSEC-2025-32 Affected Products / Versions: Vault Community Edition 1.20.3 to 1.20.4; fixed in 1.21.0. Vault Enterprise 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, 1.16.25 to 1.16.26; fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27 Publication Date: October 23, 2025 Summary A fix for a previous security issue impacting HashiCorp Vault (HCSEC-2025-24 / CVE-2025-6203) was incomplete, and did not fully address the vulnerability. The fix was corrected in Vault versions 1.21.0, 1.20.5, 1.19.11, and 1.16.27. The CVE advisory and security bulletin have been updated to reflect the correct fixed versions. Background On August 28, HashiCorp published HCSEC-2025-24, describing a denial of service vulnerability with Vault. After the publication, HashiCorp was notified that the JSON complexity check designed to prevent the denial of service issue could be bypassed with a different specially-crafted complex payload. Details The logic introduced as part of HCSEC-2025-24 has been corrected, and the corresponding bulletin and CVE have been updated to reflect the correct fixed versions. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 1.21.0 or Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27. Please refer to Upgrading Vault for general guidance. Acknowledgement This issue was identified by Darrell Bethea, Ph.D. of Indeed. We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security. 1 post - 1 participant Read full topic