CVE-2025-4166: Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information

May 2, 2025 (updated May 6, 2025)

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

References

discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin
github.com/advisories/GHSA-gcqf-f89c-68hv
github.com/hashicorp/vault
nvd.nist.gov/vuln/detail/CVE-2025-4166
pkg.go.dev/vuln/GO-2025-3663

Code Behaviors & Features

Detect and mitigate CVE-2025-4166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →