Description

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.

INFO

Published Date :

2025-10-17T16:03:23.584Z

Last Modified :

2025-10-17T17:22:52.795Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59043 vulnerability.

Vendors Products
Openbao
  • Openbao
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59043.

URL Resource
https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50 cve-icon cve-icon
https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c cve-icon cve-icon
https://github.com/openbao/openbao/pull/1756 cve-icon cve-icon
https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact