HashiCorp Vault Denial-of-Service Vulnerability via Complex JSON Payloads

A denial-of-service vulnerability has been identified in HashiCorp Vault, affecting both the Community and Enterprise editions. The issue arises when a malicious user submits a complex JSON payload that meets the default request size limit. This can lead to excessive memory and CPU usage, causing a timeout in Vault's auditing process and potentially making the Vault server unresponsive. The vulnerability is present in Vault versions 1.15.0 up to 1.20.2, as well as 1.19.8, 1.18.13, and 1.16.24. It has been fixed in Vault Community Edition 1.20.3 and Vault Enterprise versions 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Impact

Exploitation of this vulnerability can cause the Vault server to become unresponsive, disrupting its availability and potentially leading to missed audit logs.

Remediation

Users are advised to upgrade to Vault Community Edition 1.20.3 or Vault Enterprise 1.20.3, 1.19.9, 1.18.14, or 1.16.25. General guidance for upgrading Vault is available in the Vault Upgrading documentation.