CVE-2025-4166

MEDIUM

Hashicorp Vault < 1.16.20 - Error Information Exposure

Title source: rule

Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

References (1)

[Vendor Advisory] https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin

Scores

CVSS v3 4.5

EPSS 0.0015

EPSS Percentile 34.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (4)

hashicorp/vault 0.3.0 - 1.16.20

hashicorp/vault 0.3.0 - 1.19.3

hashicorp/vault 0.3.0 - 1.19.3Go

openbao/openbao < 2.2.2

Published May 02, 2025

Tracked Since Feb 18, 2026