CVE-2025-59043 Overview
CVE-2025-59043 is a denial of service vulnerability in OpenBao, an open source identity-based secrets management system. The vulnerability exists in how OpenBao handles JSON request body parsing, where specially crafted JSON payloads can consume significantly more memory when deserialized compared to their serialized form. This amplification factor can reach approximately 35x, similar to a "zip bomb" technique, allowing attackers to bypass the max_request_size configuration parameter designed to prevent resource exhaustion attacks.
Critical Impact
Unauthenticated attackers can send malicious JSON payloads to crash OpenBao instances via out-of-memory conditions, causing complete denial of service for secrets management operations.
Affected Products
- OpenBao versions prior to 2.4.1
Discovery Timeline
- October 17, 2025 - CVE-2025-59043 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2025-59043
Vulnerability Analysis
This vulnerability exploits the fundamental difference between serialized and deserialized JSON memory representation. When OpenBao receives an HTTP request, the JSON request body is parsed into a Go map data structure very early in the request handling chain—critically, before any authentication checks occur. This pre-authentication parsing allows unauthenticated attackers to trigger resource exhaustion.
The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). An attacker can craft JSON objects that maximize memory expansion during deserialization, with amplification factors reaching approximately 35x. This means a relatively small HTTP request can consume disproportionately large amounts of server memory.
Additionally, requests containing large numbers of strings can cause the audit subsystem to consume excessive CPU resources, compounding the denial of service impact. The max_request_size configuration parameter, intended to prevent such attacks, is ineffective because it only limits the serialized request size, not the deserialized memory footprint.
Root Cause
The root cause is the lack of complexity limits on JSON deserialization in the HTTP request handling code. The vulnerable code in http/logical.go parses incoming JSON bodies without validating or limiting the complexity of the resulting data structures. Since JSON allows deeply nested objects, repeated keys, and structures that expand significantly in memory, an attacker can exploit this asymmetry.
Attack Vector
The attack can be executed remotely over the network without authentication. An attacker sends a specially crafted HTTP request with a malicious JSON body to any OpenBao endpoint. The JSON is designed to minimize serialized size while maximizing deserialized memory consumption. When OpenBao attempts to parse this JSON into memory, it triggers an out-of-memory condition, crashing the service.
// Security patch in command/server.go - Adding JSON complexity limits
Config: lnConfig,
})
if lnConfig.MaxRequestJsonComplexity == 0 {
lnConfig.MaxRequestJsonComplexity = vault.DefaultMaxJsonComplexity
}
props["max_request_json_complexity"] = fmt.Sprintf("%d", lnConfig.MaxRequestJsonComplexity)
// Store the listener props for output later
key := fmt.Sprintf("listener %d", i+1)
propsList := make([]string, 0, len(props))
Source: GitHub Commit d418f238
Detection Methods for CVE-2025-59043
Indicators of Compromise
- Unusual memory consumption spikes on OpenBao server processes
- HTTP requests with abnormally complex or deeply nested JSON structures
- Out-of-memory errors or crashes in OpenBao logs
- Elevated CPU utilization in the audit subsystem
Detection Strategies
- Monitor OpenBao process memory usage for sudden spikes that exceed normal operational baselines
- Implement network-level inspection to identify HTTP requests with unusually large or complex JSON payloads
- Configure alerting on OpenBao service restarts or unexpected process terminations
- Review audit logs for patterns of failed requests preceding service disruptions
Monitoring Recommendations
- Set up infrastructure monitoring to track memory and CPU utilization on OpenBao servers
- Implement rate limiting on HTTP endpoints to slow potential attack attempts
- Configure log aggregation to capture and analyze OpenBao error logs for OOM conditions
- Deploy application performance monitoring to detect latency anomalies indicating resource exhaustion
How to Mitigate CVE-2025-59043
Immediate Actions Required
- Upgrade OpenBao to version 2.4.1 or later immediately
- Review OpenBao server logs for evidence of exploitation attempts
- Ensure monitoring and alerting is configured for service availability
- Consider implementing a web application firewall (WAF) with JSON payload inspection
Patch Information
The vulnerability is fixed in OpenBao version 2.4.1. The patch introduces a new max_request_json_complexity configuration parameter that limits the complexity of JSON bodies in HTTP requests, preventing memory exhaustion attacks. The fix was implemented in Pull Request #1756 and can be reviewed in the security advisory GHSA-g46h-2rq9-gw5m.
Workarounds
- Place a reverse proxy or WAF in front of OpenBao to inspect and limit JSON request complexity
- Implement network-level access controls to restrict which systems can reach OpenBao endpoints
- Configure resource limits (cgroups, container limits) to prevent a single crash from affecting other services
- Monitor and restart OpenBao services automatically if memory thresholds are exceeded
# Example: Setting JSON complexity limit in OpenBao configuration
# Add to listener stanza in openbao.hcl
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
max_request_json_complexity = 1000
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
