CVE-2025-4166

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Published: May 2, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-4166
GHSA: GHSA-gcqf-f89c-68hv
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWEs:

CWE-209

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
github.com/hashicorp/vault	0.3.0	1.19.3
hashicorp / vault	0.3.0	1.19.3
hashicorp / vault	0.3.0	1.16.20
hashicorp / vault	1.17.0	1.17.16
hashicorp / vault	1.18.0	1.18.9
hashicorp / vault	1.19.0	1.19.3

https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin
https://pkg.go.dev/vuln/GO-2025-3663

Vulnerability Database

CVE-2025-4166