CVE-2025-4166 | THREATINT

Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

PUBLISHED Reserved 2025-04-30 | Published 2025-05-02 | Updated 2025-05-08 | Assigner HashiCorp

MEDIUM: 4.5CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-209: Generation of Error Message Containing Sensitive Information

Product status

Default status

unaffected

0.3.0 (semver) before 1.19.2

affected

Default status

unaffected

0.10.0 (semver) before 1.19.2

affected

References

discuss.hashicorp.com/...alformed-data-with-the-kv-v2-plugin

cve.org (CVE-2025-4166)

nvd.nist.gov (CVE-2025-4166)

Download JSON