CVE-2025-59043— OpenBao vulnerable to denial of service via malicious JSON request processing
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-59043
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenBao vulnerable to denial of service via malicious JSON request processing
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenBao 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenBao是OpenBao开源的一个敏感数据管理软件。 OpenBao 2.4.1之前版本存在资源管理错误漏洞,该漏洞源于JSON对象反序列化后可能占用过多内存,可能导致拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-59043
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-59043
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: openbao
- CVE-2026-40264
OpenBao's Token Store Allows Cross-Namespace Renewal, Revoca - CVE-2026-39396
OpenBao has Decompression Bomb via Unbounded Copy in OCI Plu - CVE-2026-39388
OpenBao's Certificate Authentication Allows Token Renewal Wi - CVE-2026-39946
OpenBao allows SQL Injection in PostgreSQL database secrets - CVE-2026-33758
OpenBao has Reflected XSS in its OIDC authentication error m
Same vendor: openbao
- CVE-2026-40264
OpenBao's Token Store Allows Cross-Namespace Renewal, Revoca - CVE-2026-39396
OpenBao has Decompression Bomb via Unbounded Copy in OCI Plu - CVE-2026-39388
OpenBao's Certificate Authentication Allows Token Renewal Wi - CVE-2026-39946
OpenBao allows SQL Injection in PostgreSQL database secrets - CVE-2026-33758
OpenBao has Reflected XSS in its OIDC authentication error m
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2025-59043
No comments yet