CVE-2025-4166

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-4166

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4166.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-4166

Aliases

Related

Published

2025-05-02T15:15:50.313Z

Modified

2026-01-09T19:15:02.883462Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

References

https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin

Affected packages

Git / github.com/hashicorp/vault

Affected ranges

Type: GIT
Repo: https://github.com/hashicorp/vault
Events: Introduced

347f48c55bae0fa7a36d8eae6028de9a6eeefc01

Fixed

a2de3bb7bcf4a073cbb8724863a5a88d3c2f83da

Affected versions

api/auth/approle/v0.*

api/auth/approle/v0.1.0

api/auth/approle/v0.1.1

api/auth/approle/v0.2.0

api/auth/approle/v0.3.0

api/auth/approle/v0.4.0

api/auth/approle/v0.4.1

api/auth/approle/v0.5.0

api/auth/approle/v0.6.0

api/auth/approle/v0.7.0

api/auth/approle/v0.8.0

api/auth/approle/v0.9.0

api/auth/aws/v0.*

api/auth/aws/v0.1.0

api/auth/aws/v0.2.0

api/auth/aws/v0.3.0

api/auth/aws/v0.4.0

api/auth/aws/v0.4.1

api/auth/aws/v0.5.0

api/auth/aws/v0.6.0

api/auth/aws/v0.7.0

api/auth/aws/v0.8.0

api/auth/aws/v0.9.0

api/auth/azure/v0.*

api/auth/azure/v0.1.0

api/auth/azure/v0.2.0

api/auth/azure/v0.3.0

api/auth/azure/v0.4.0

api/auth/azure/v0.4.1

api/auth/azure/v0.5.0

api/auth/azure/v0.6.0

api/auth/azure/v0.7.0

api/auth/azure/v0.8.0

api/auth/gcp/v0.*

api/auth/gcp/v0.1.0

api/auth/gcp/v0.2.0

api/auth/gcp/v0.3.0

api/auth/gcp/v0.4.0

api/auth/gcp/v0.4.1

api/auth/gcp/v0.5.0

api/auth/gcp/v0.6.0

api/auth/gcp/v0.7.0

api/auth/gcp/v0.8.0

api/auth/gcp/v0.9.0

api/auth/kubernetes/v0.*

api/auth/kubernetes/v0.1.0

api/auth/kubernetes/v0.2.0

api/auth/kubernetes/v0.3.0

api/auth/kubernetes/v0.4.0

api/auth/kubernetes/v0.4.1

api/auth/kubernetes/v0.5.0

api/auth/kubernetes/v0.6.0

api/auth/kubernetes/v0.7.0

api/auth/kubernetes/v0.8.0

api/auth/kubernetes/v0.9.0

api/auth/ldap/v0.*

api/auth/ldap/v0.1.0

api/auth/ldap/v0.2.0

api/auth/ldap/v0.3.0

api/auth/ldap/v0.4.0

api/auth/ldap/v0.4.1

api/auth/ldap/v0.5.0

api/auth/ldap/v0.6.0

api/auth/ldap/v0.7.0

api/auth/ldap/v0.8.0

api/auth/ldap/v0.9.0

api/auth/userpass/v0.*

api/auth/userpass/v0.1.0

api/auth/userpass/v0.2.0

api/auth/userpass/v0.3.0

api/auth/userpass/v0.4.0

api/auth/userpass/v0.4.1

api/auth/userpass/v0.5.0

api/auth/userpass/v0.6.0

api/auth/userpass/v0.7.0

api/auth/userpass/v0.8.0

api/auth/userpass/v0.9.0

api/v1.*

api/v1.0.1

api/v1.0.2

api/v1.0.3

api/v1.0.4

api/v1.1.1

api/v1.10.0

api/v1.11.0

api/v1.12.0

api/v1.12.1

api/v1.12.2

api/v1.13.0

api/v1.14.0

api/v1.15.0

api/v1.16.0

api/v1.2.0

api/v1.3.1

api/v1.5.0

api/v1.6.0

api/v1.7.0

api/v1.7.1

api/v1.7.2

api/v1.8.0

api/v1.8.1

api/v1.8.2

api/v1.8.3

api/v1.9.0

api/v1.9.1

api/v1.9.2

Other

last-go-modable

main-creation

sdk/v0.*

sdk/v0.1.10

sdk/v0.1.11

sdk/v0.1.12

sdk/v0.1.13

sdk/v0.1.8

sdk/v0.1.9

sdk/v0.10.0

sdk/v0.10.1

sdk/v0.11.0

sdk/v0.11.1

sdk/v0.12.0

sdk/v0.13.0

sdk/v0.14.0

sdk/v0.14.1

sdk/v0.15.0

sdk/v0.15.1

sdk/v0.15.2

sdk/v0.2.1

sdk/v0.3.0

sdk/v0.4.1

sdk/v0.5.0

sdk/v0.5.1

sdk/v0.5.3

sdk/v0.6.0

sdk/v0.6.1

sdk/v0.6.2

sdk/v0.7.0

sdk/v0.8.0

sdk/v0.9.0

sdk/v0.9.1

sdk/v0.9.2

v0.*

v0.10.0

v0.10.0-rc1

v0.10.1

v0.10.2

v0.10.3

v0.10.4

v0.11.0

v0.11.0-beta1

v0.11.1

v0.11.2

v0.11.3

v0.11.4

v0.3.0

v0.3.1

v0.4.0

v0.4.0-rc1

v0.4.0-rc2

v0.4.1

v0.5.0

v0.5.0-rc1

v0.5.0-rc1.1

v0.5.0-rc1.2

v0.5.0-rc2

v0.5.1

v0.5.2

v0.6.0

v0.6.0-beta1

v0.6.0-beta2

v0.6.0-rc1

v0.6.0-rebuild

v0.6.1

v0.6.1-rc1

v0.6.1-rc2

v0.6.1-rc3

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.7.0

v0.7.0-beta1

v0.7.1

v0.7.2

v0.7.3

v0.8.0

v0.8.0-beta1

v0.8.0-rc1

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v1.*

v1.0.0

v1.0.0-beta1

v1.0.0-beta2

v1.0.0-rc1

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.0-beta1

v1.1.0-beta2

v1.1.1

v1.1.2

v1.19.0

v1.19.0-rc1

v1.19.1

v1.19.2

v1.2.0

v1.2.0-beta1

v1.2.0-beta2

v1.2.0-rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4166.json"

Git / github.com/openbao/openbao

Affected ranges

Type: GIT
Repo: https://github.com/openbao/openbao
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8c0322c0423231836a1432fdad29dc2e99640da9

Affected versions

api/auth/approle/v0.*

api/auth/approle/v0.1.0

api/auth/approle/v0.1.1

api/auth/approle/v0.2.0

api/auth/approle/v0.3.0

api/auth/approle/v0.4.0

api/auth/approle/v0.4.1

api/auth/approle/v1.*

api/auth/approle/v1.1.0-development20240408

api/auth/approle/v2.*

api/auth/approle/v2.0.1

api/auth/approle/v2.2.0

api/auth/aws/v0.*

api/auth/aws/v0.1.0

api/auth/aws/v0.2.0

api/auth/aws/v0.3.0

api/auth/aws/v0.4.0

api/auth/aws/v0.4.1

api/auth/aws/v1.*

api/auth/aws/v1.1.0-development20240408

api/auth/azure/v0.*

api/auth/azure/v0.1.0

api/auth/azure/v0.2.0

api/auth/azure/v0.3.0

api/auth/azure/v0.4.0

api/auth/azure/v0.4.1

api/auth/azure/v1.*

api/auth/azure/v1.1.0-development20240408

api/auth/gcp/v0.*

api/auth/gcp/v0.1.0

api/auth/gcp/v0.2.0

api/auth/gcp/v0.3.0

api/auth/gcp/v0.4.0

api/auth/gcp/v0.4.1

api/auth/gcp/v1.*

api/auth/gcp/v1.1.0-development20240408

api/auth/kubernetes/v1.*

api/auth/kubernetes/v1.1.0-development20240408

api/auth/kubernetes/v2.*

api/auth/kubernetes/v2.0.1

api/auth/kubernetes/v2.2.0

api/auth/ldap/v1.*

api/auth/ldap/v1.1.0-development20240408

api/auth/ldap/v2.*

api/auth/ldap/v2.0.1

api/auth/ldap/v2.2.0

api/auth/userpass/v0.*

api/auth/userpass/v0.1.0

api/auth/userpass/v0.2.0

api/auth/userpass/v0.3.0

api/auth/userpass/v0.4.0

api/auth/userpass/v0.4.1

api/auth/userpass/v1.*

api/auth/userpass/v1.1.0-development20240408

api/auth/userpass/v2.*

api/auth/userpass/v2.0.1

api/auth/userpass/v2.2.0

api/v1.*

api/v1.0.1

api/v1.0.2

api/v1.0.3

api/v1.0.4

api/v1.1.1

api/v1.100.0-development20240408

api/v1.2.0

api/v1.3.1

api/v1.5.0

api/v1.6.0

api/v1.7.0

api/v1.7.1

api/v1.7.2

api/v1.8.0

api/v1.8.1

api/v1.8.2

api/v1.8.3

api/v1.9.0

api/v1.9.1

api/v1.9.2

api/v2.*

api/v2.0.1

api/v2.1.0

api/v2.2.0

Other

before-plugin-removal

fork-point

sdk/v0.*

sdk/v0.1.10

sdk/v0.1.11

sdk/v0.1.12

sdk/v0.1.13

sdk/v0.1.8

sdk/v0.1.9

sdk/v0.2.1

sdk/v0.3.0

sdk/v0.4.1

sdk/v0.5.0

sdk/v0.5.1

sdk/v0.5.3

sdk/v0.6.0

sdk/v0.6.1

sdk/v0.6.2

sdk/v0.7.0

sdk/v0.8.0

sdk/v0.9.0

sdk/v0.9.1

sdk/v1.*

sdk/v1.100.0-development20240408

sdk/v2.*

sdk/v2.0.1

sdk/v2.1.0

sdk/v2.2.0

v2.*

v2.0.0

v2.0.0-alpha20240329

v2.0.0-beta20240618

v2.1.0-beta20241114

v2.1.0-beta20241114.1

v2.1.0-beta20241114.2

v2.1.0-beta20241114.3

v2.2.0

v2.2.0-beta20250213

v2.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4166.json"