Vulnerability Report

CVE-2025-6203

Title: Hashicorp Vault RCE

DoS

Proof Of Concept

No public PoC currently indexed for CVE-2025-6203.

CWE Category CWE-770

Published Date Aug 28, 2025

Modified Date Dec 18, 2025

Exploit Status Not Found

Score 7.5 CVSS v3.1

Exploit Probability (EPSS)

0.10%

Vulnerability Summary

CVE-2025-6203: A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault’s auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25.

Impacted Vendors

hashicorp 1

tibco 1

Reference Links

https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2025-6203 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

December 18, 2025 MODIFIED

Vulnerability data or affected products updated.

December 18, 2025 MODIFIED

Vulnerability data updated via NVD.

August 28, 2025 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Stack

No specific products linked.