CVE-2025-4166

EUVD-2025-13240
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
HashiCorpCNA
4.5 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
Affected Products (NVD)
VendorProductVersion
hashicorpvault
0.3.0 ≤
𝑥
< 1.16.20
hashicorpvault
0.3.0 ≤
𝑥
< 1.19.3
hashicorpvault
1.17.0 ≤
𝑥
< 1.17.16
hashicorpvault
1.18.0 ≤
𝑥
< 1.18.9
hashicorpvault
1.19.0 ≤
𝑥
< 1.19.3
openbaoopenbao
𝑥
< 2.2.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin