HIGH🇵🇱 Wersja polska

CVE-2025-59043

CVSS 7.5v3.1pub. 2025-10-17upd. 2025-10-24

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Openbao

    APP
    Openbao
    < 2.4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDoSDeserialization
CWE
References

Related vulnerabilities

CVE-2026-33758CRITICAL9.4PL ✓ten sam produkt

XSS w OpenBao — kradzież tokenu Web UI przez parametr error_description

CVE-2026-33757CRITICAL9.6PL ✓ten sam produkt

OpenBao: zdalne phishing przez JWT/OIDC bez potwierdzenia logowania

CVE-2025-54997CRITICAL9.1PL ✓ten sam produkt

OpenBao: ominięcie restrykcji przez subsystem audytu — RCE i dostęp sieciowy

CVE-2025-64761HIGH7.5ten sam produkt

OpenBao is an open source identity-based secrets management system. Prior to version 2.4.4, a privileged opera...

CVE-2025-54996HIGH7.2ten sam produkt

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secret...

CVE-2025-59043 — Openbao — HIGH — CVSS 7.5 | CVEbaza.pl