CVE-2025-59043
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2025-10-24

Assigner: GitHub, Inc.

Description
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2025-10-24
Generated
2026-06-16
AI Q&A
2025-10-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59043
EUVD
EUVD-2025-34895
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbao openbao to 2.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OpenBao versions prior to 2.4.1 involves the handling of JSON objects. Specifically, after decoding, JSON objects can consume significantly more memory than their serialized form, with a factor of up to approximately 35. An attacker can craft a JSON payload to exploit this, similar to a zip bomb, to bypass the max_request_size limit designed to prevent denial of service attacks. Because the request body is parsed into a map early in the request handling process before authentication, an unauthenticated attacker can send such a payload and cause the system to crash due to out-of-memory conditions. Additionally, requests with many strings can cause the audit subsystem to use excessive CPU resources. The issue is fixed in version 2.4.1.

Impact Analysis

This vulnerability can lead to denial of service (DoS) by causing the OpenBao system to crash due to out-of-memory conditions triggered by specially crafted JSON payloads. It can also cause high CPU usage in the audit subsystem when processing requests with many strings. Since the attack can be performed by unauthenticated users, it poses a significant risk of service disruption.

Mitigation Strategies

Upgrade OpenBao to version 2.4.1 or later, where this vulnerability is fixed. Until then, consider restricting or filtering unauthenticated requests that contain large or suspicious JSON payloads to prevent out-of-memory crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart