CVE-2025-59043
- Source
- https://cve.org/CVERecord?id=CVE-2025-59043
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59043.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-59043
- Aliases
- Downstream
- Related
- Published
- 2025-10-17T16:03:23.584Z
- Modified
- 2026-04-10T05:31:43.766323Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- OpenBao vulnerable to denial of service via malicious JSON request processing
- Details
-
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the maxrequestsize configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
- Database specific
{ "cwe_ids": [ "CWE-400" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59043.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59043.json
- https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m
- https://nvd.nist.gov/vuln/detail/CVE-2025-59043
- https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c
- https://github.com/openbao/openbao/pull/1756
Affected packages
Git / github.com/openbao/openbao
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openbao/openbao
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
api/auth/approle/v0.*
api/auth/approle/v0.1.0
api/auth/approle/v0.1.1
api/auth/approle/v0.2.0
api/auth/approle/v0.3.0
api/auth/approle/v0.4.0
api/auth/approle/v0.4.1
api/auth/approle/v1.*
api/auth/approle/v1.1.0-development20240408
api/auth/approle/v2.*
api/auth/approle/v2.0.1
api/auth/approle/v2.2.0
api/auth/approle/v2.3.0
api/auth/approle/v2.4.0
api/auth/aws/v0.*
api/auth/aws/v0.1.0
api/auth/aws/v0.2.0
api/auth/aws/v0.3.0
api/auth/aws/v0.4.0
api/auth/aws/v0.4.1
api/auth/aws/v1.*
api/auth/aws/v1.1.0-development20240408
api/auth/azure/v0.*
api/auth/azure/v0.1.0
api/auth/azure/v0.2.0
api/auth/azure/v0.3.0
api/auth/azure/v0.4.0
api/auth/azure/v0.4.1
api/auth/azure/v1.*
api/auth/azure/v1.1.0-development20240408
api/auth/gcp/v0.*
api/auth/gcp/v0.1.0
api/auth/gcp/v0.2.0
api/auth/gcp/v0.3.0
api/auth/gcp/v0.4.0
api/auth/gcp/v0.4.1
api/auth/gcp/v1.*
api/auth/gcp/v1.1.0-development20240408
api/auth/jwt/v2.*
api/auth/jwt/v2.4.0
api/auth/kubernetes/v1.*
api/auth/kubernetes/v1.1.0-development20240408
api/auth/kubernetes/v2.*
api/auth/kubernetes/v2.0.1
api/auth/kubernetes/v2.2.0
api/auth/kubernetes/v2.3.0
api/auth/kubernetes/v2.4.0
api/auth/ldap/v1.*
api/auth/ldap/v1.1.0-development20240408
api/auth/ldap/v2.*
api/auth/ldap/v2.0.1
api/auth/ldap/v2.2.0
api/auth/ldap/v2.3.0
api/auth/ldap/v2.4.0
api/auth/userpass/v0.*
api/auth/userpass/v0.1.0
api/auth/userpass/v0.2.0
api/auth/userpass/v0.3.0
api/auth/userpass/v0.4.0
api/auth/userpass/v0.4.1
api/auth/userpass/v1.*
api/auth/userpass/v1.1.0-development20240408
api/auth/userpass/v2.*
api/auth/userpass/v2.0.1
api/auth/userpass/v2.2.0
api/auth/userpass/v2.3.0
api/auth/userpass/v2.4.0
api/v1.*
api/v1.0.1
api/v1.0.2
api/v1.0.3
api/v1.0.4
api/v1.1.1
api/v1.100.0-development20240408
api/v1.2.0
api/v1.3.1
api/v1.5.0
api/v1.6.0
api/v1.7.0
api/v1.7.1
api/v1.7.2
api/v1.8.0
api/v1.8.1
api/v1.8.2
api/v1.8.3
api/v1.9.0
api/v1.9.1
api/v1.9.2
api/v2.*
api/v2.0.1
api/v2.1.0
api/v2.2.0
api/v2.3.0
api/v2.4.0
Other
before-plugin-removal
dev-namespaces-base-20250215
dev-namespaces-base-20250311
dev-namespaces-base-20250424
sdk/v0.*
sdk/v0.1.10
sdk/v0.1.11
sdk/v0.1.12
sdk/v0.1.13
sdk/v0.1.8
sdk/v0.1.9
sdk/v0.2.1
sdk/v0.3.0
sdk/v0.4.1
sdk/v0.5.0
sdk/v0.5.1
sdk/v0.5.3
sdk/v0.6.0
sdk/v0.6.1
sdk/v0.6.2
sdk/v0.7.0
sdk/v0.8.0
sdk/v0.9.0
sdk/v0.9.1
sdk/v1.*
sdk/v1.100.0-development20240408
sdk/v2.*
sdk/v2.0.1
sdk/v2.1.0
sdk/v2.2.0
sdk/v2.3.0
sdk/v2.4.0
v2.*
v2.0.0
v2.0.0-alpha20240329
v2.0.0-beta20240618
v2.1.0-beta20241114
v2.1.0-beta20241114.1
v2.1.0-beta20241114.2
v2.1.0-beta20241114.3
v2.2.0-beta20250213
v2.3.0-beta20250528
v2.4.0