Wiz
Vulnerability DatabaseCVE-2025-4166

CVE-2025-4166
HashiCorp Vault vulnerability analysis and mitigation

Overview

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin contains a vulnerability that may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. The vulnerability affects Vault Community Edition from 0.3.0 up to 1.19.2 and Vault Enterprise from 0.3.0 up to 1.19.2, 1.18.8, 1.17.15, 1.16.19. This vulnerability has been assigned identifier CVE-2025-4166 (HashiCorp Discuss, NVD).

Technical details

The vulnerability occurs in the Key/Value (kv) Version 2 plugin when processing malformed payloads through the REST API. The issue specifically manifests when creating or updating secrets with incorrectly formatted data, such as improperly formatted JSON. When an error occurs during these operations, Vault inadvertently logs the value of the secret in both server logs and audit logs. The vulnerability has been assigned a CVSS v3.1 base score of 4.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N, and is classified under CWE-209 (Generation of Error Message Containing Sensitive Information) (NVD).

Impact

The vulnerability can lead to the exposure of sensitive information in server and audit logs. When users submit malformed payloads during secret creation or update operations, the actual secret values may be inadvertently logged. This exposure only occurs during error conditions with incorrectly formatted API requests, while normal operations through the UI or CLI remain unaffected (HashiCorp Discuss).

Mitigation and workarounds

The vulnerability has been fixed in Vault Community 1.19.3 and Vault Enterprise versions 1.19.3, 1.18.9, 1.17.16, and 1.16.20. Organizations should upgrade to these patched versions. Additionally, customers are advised to search through server and audit logs for any possible exposed secrets using specific log patterns provided in the security advisory. If matches are found, affected secrets should be rotated (HashiCorp Discuss).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo