CVE-2025-4166

MEDIUM

HashiCorp Vault 0.3.0-1.19.2 and OpenBAO < 2.2.2 - Sensitive Information Exposure in KV v2 Plugin Error Logs

Title source: llm

Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

References (1)

Core 1

Core References

Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin

Scores

CVSS v3 4.5

EPSS 0.0034

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (4)

hashicorp/vault 0.3.0 - 1.16.20

hashicorp/vault 0.3.0 - 1.19.3

hashicorp/vault 0.3.0 - 1.19.3Go

openbao/openbao < 2.2.2

Published May 02, 2025

Tracked Since Feb 18, 2026