x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

GoVulnBot · 2025-05-02T20:01:25Z

Advisory GHSA-gcqf-f89c-68hv references a vulnerability in the following Go modules:

Module
github.com/hashicorp/vault

Description:
Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

References:

Cross references:

github.com/hashicorp/vault appears in 37 other report(s):
- data/reports/GO-2022-0578.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-362v-wg5p-64w2 #578)
- data/reports/GO-2022-0590.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-c5wc-v287-82pc #590)
- data/reports/GO-2022-0611.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-pfmw-vj74-ph8g #611)
- data/reports/GO-2022-0618.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-qv95-g3gm-x542 #618)
- data/reports/GO-2022-0620.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-23fq-q7hc-993r #620)
- data/reports/GO-2022-0623.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-38j9-7pp9-2hjw #623)
- data/reports/GO-2022-0632.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6239-28c2-9mrm, CVE-2021-38554 #632)
- data/reports/GO-2022-0778.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/command: GHSA-25xj-89g5-fm6h #778)
- data/reports/GO-2022-0816.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9vh5-r4qw-v3vv #816)
- data/reports/GO-2022-0825.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-fp52-qw33-mfmw #825)
- data/reports/GO-2022-1021.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-7cgv-v83v-rr87 #1021)
- data/reports/GO-2023-1685.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v3hp-mcj5-pg39 #1685)
- data/reports/GO-2023-1708.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-hwc3-3qh6-r4gg #1708)
- data/reports/GO-2023-1709.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-vq4h-9ghm-qmrr #1709)
- data/reports/GO-2023-1849.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gq98-53rq-qr5h #1849)
- data/reports/GO-2023-1897.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9mh8-9j64-443f #1897)
- data/reports/GO-2023-1900.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-wmg5-g953-qqfw #1900)
- data/reports/GO-2023-1986.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-9v3w-w2jh-4hff #1986)
- data/reports/GO-2023-2063.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-v84f-6r39-cpfc #2063)
- data/reports/GO-2023-2088.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-86c6-3g63-5w64 #2088)
- data/reports/GO-2023-2329.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-4qhc-v8r6-8vwm #2329)
- data/reports/GO-2023-2399.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-6p62-6cg9-f5f5 #2399)
- data/reports/GO-2024-2485.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-j6vv-vv26-rh7c #2485)
- data/reports/GO-2024-2486.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-m979-w9wj-qfj9 #2486)
- data/reports/GO-2024-2488.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault/vault: GHSA-4mp7-2m29-gqxf #2488)
- data/reports/GO-2024-2508.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rpgp-9hmg-j25x #2508)
- data/reports/GO-2024-2509.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rq95-xf66-j689 #2509)
- data/reports/GO-2024-2511.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: CVE-2024-0831 #2511)
- data/reports/GO-2024-2514.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-57gg-cj55-q5g2 #2514)
- data/reports/GO-2024-2617.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-r3w7-mfpm-c2vw #2617)
- data/reports/GO-2024-2690.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-j2rp-gmqv-frhv #2690)
- data/reports/GO-2024-2921.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-32cj-5wx4-gq8p #2921)
- data/reports/GO-2024-2982.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-2qmw-pvf7-4mw6 #2982)
- data/reports/GO-2024-3113.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jjxf-26c9-77gm #3113)
- data/reports/GO-2024-3162.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-jg74-mwgw-v6x3 #3162)
- data/reports/GO-2024-3191.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-rr8j-7w34-xp5j #3191)
- data/reports/GO-2024-3246.yaml (x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-g233-2p4r-3q7v #3246)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/hashicorp/vault
      versions:
        - introduced: 0.3.0
        - fixed: 1.19.3
      vulnerable_at: 1.19.2
summary: |-
    Hashicorp Vault Community vulnerable to Generation of Error Message Containing
    Sensitive Information in github.com/hashicorp/vault
cves:
    - CVE-2025-4166
ghsas:
    - GHSA-gcqf-f89c-68hv
references:
    - advisory: https://github.com/advisories/GHSA-gcqf-f89c-68hv
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-4166
    - web: https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin
source:
    id: GHSA-gcqf-f89c-68hv
    created: 2025-05-02T20:01:24.76222318Z
review_status: UNREVIEWED

The text was updated successfully, but these errors were encountered:

gopherbot · 2025-05-06T13:30:11Z

Change https://go.dev/cl/670315 mentions this issue: data/reports: add 5 reports

GoVulnBot added the NeedsTriage label May 2, 2025

thatnealpatel added triaged and removed NeedsTriage labels May 5, 2025

gopherbot closed this as completed in aa7c6ae May 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

GoVulnBot commented May 2, 2025

gopherbot commented May 6, 2025

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

x/vulndb: potential Go vuln in github.com/hashicorp/vault: GHSA-gcqf-f89c-68hv #3663

Comments

GoVulnBot commented May 2, 2025

gopherbot commented May 6, 2025