CVE-2025-59043: 
Wolfi vulnerability analysis and mitigation

CVE-2025-59043 affects OpenBao, an open source identity-based secrets management system, in versions prior to 2.4.1. The vulnerability was discovered and disclosed on October 17, 2025. The issue allows unauthenticated attackers to cause denial of service through maliciously crafted JSON payloads (GitHub Advisory).

The vulnerability stems from how JSON objects are processed after decoding, potentially using significantly more memory than their serialized version. An attacker can craft JSON payloads to maximize the factor between serialized and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35x. The vulnerability exists because the request body is parsed into a map very early in the request handling chain before authentication, allowing unauthenticated attackers to trigger out-of-memory conditions. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability allows attackers to circumvent the maxrequestsize configuration parameter intended to protect against denial of service attacks. This makes denial of service attacks more efficient as attackers need fewer resources to cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU (GitHub Advisory).

The vulnerability is fixed in OpenBao version 2.4.1. Users should upgrade to this version or later. As a workaround, administrators can configure the maxrequestjsonmemory and maxrequestjsonstrings parameters to limit JSON processing resource consumption (GitHub Advisory).