CVE-2025-4166 - Unintended Sensitive Information Exposure in Vault Community and Vault Enterprise Key/Value Version 2 Plugin

The Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin is crucial for safely storing and managing secrets in modern and secure applications. However, a recent vulnerability discovered in these plugins could inadvertently be exposing sensitive data in server and audit logs. In this long read, we will delve into the details surrounding CVE-2025-4166, the vulnerability affecting these plugins. We will also explore the recommended fixes and share some code snippets to demonstrate the exploitation of the vulnerability.

Details of CVE-2025-4166

CVE-2025-4166 is a vulnerability found in both Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugins. The vulnerability arises when users send malformed payloads while creating or updating secrets via the Vault REST API. The resulting unintended behavior causes potentially sensitive information to be exposed in server and audit logs.

Exploit Example

To see the vulnerability in action, consider the following code snippet that triggers CVE-2025-4166 when a malformed payload is submitted:

import requests

url = "https://vault.example.com:820/v1/secret/data/foo";
headers = {"X-Vault-Token": "your-vault-token", "Content-Type": "application/json"}

# Malformed Payload - JSON Object instead of JSON Array
payload = '{"data": {"bar": [1, 2, {"secret": "supersecret"}]}}'

response = requests.put(url, headers=headers, data=payload)

print(response.text)

In this example, the payload variable contains a JSON object (not a JSON array), which is malformed and presents the problem. When this payload is submitted through the REST API, it may cause sensitive information to be exposed in server and audit logs.

This vulnerability was first published in the following official sources

- Vault 1.19.3 Release Notes
- CVE-2025-4166 Entry in National Vulnerability Database (NVD)

Vault Enterprise 1.19.3, 1.18.9, 1.17.16, or 1.16.20

You should also check any server and audit logs for the presence of sensitive information, especially if you have encountered or found malformed payloads in your application requests.

In conclusion, CVE-2025-4166 is a critical vulnerability that exposes sensitive data in server and audit logs under specific conditions. Users should take immediate action to update their Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugins to the specified fixed versions, and carefully examine logs for potentially exposed information. Doing so will help preserve the security and integrity of the stored secrets, ensuring that applications using the Vault REST API remain safe and properly protected.

Timeline

Published on: 05/02/2025 15:15:50 UTC