CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4166: Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin

4.5 CVSS

Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

Classification

CVE ID: CVE-2025-4166

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Problem Types

CWE-209: Generation of Error Message Containing Sensitive Information

Affected Products

Vendor: HashiCorp

Product: Vault, Vault Enterprise

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.16% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4166
https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin

Timeline

2025-05-02 15:40:19 UTC
CVE

Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin
2025-05-02 20:15:28 UTC
Github Advisory Database (Go)

[github.com/hashicorp/vault] Hashicorp Vault Community vulnerable to Generation of Error Message Containing Sensitive Information
2025-06-26 22:15:23 UTC
Github Advisory Database (Go)

[github.com/openbao/openbao/sdk/v2/framework] OpenBao Inserts Sensitive Information into Log File when processing malformed data