CVE-2025-59043: OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests
JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage (similar to a zip bomb). While reproducing the issue, we could reach a factor of about 35. This can be used to circumvent the [max_request_size (https://openbao.org/docs/configuration/listener/tcp/) configuration parameter, which is meant to protect against Denial of Service attacks, and also makes Denial of Service attacks easier in general, as the attacker needs much less resources.
References
- discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393
- github.com/advisories/GHSA-g46h-2rq9-gw5m
- github.com/openbao/openbao
- github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go
- github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m
- nvd.nist.gov/vuln/detail/CVE-2025-59043
- nvd.nist.gov/vuln/detail/CVE-2025-6203
Code Behaviors & Features
Detect and mitigate CVE-2025-59043 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →