CVE-2025-4166
4.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Summary
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HashiCorp | Vault | 0.3.0 < 1.19.2 | affected |
| HashiCorp | Vault Enterprise | 0.10.0 < 1.19.2 | affected |
Weaknesses
- CWE-209: CWE-209: Generation of Error Message Containing Sensitive Information
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.