Bug 2404738 (CVE-2025-59043)

Summary: CVE-2025-59043 openbao: OpenBao vulnerable to denial of service via malicious JSON request processing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A critical Denial of Service vulnerability has been identified in the OpenBao secrets management system. This flaw allows an unauthenticated attacker to send a specially crafted data request, a JSON payload, that consumes a disproportionate amount of memory when processed, functioning like a memory-based "zip bomb." This exploit bypasses standard security configurations intended to limit request sizes and prevent service disruptions. Successfully exploiting this vulnerability leads to an out-of-memory crash of the OpenBao server, resulting in a complete Denial of Service for the secrets management system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2404798, 2404799, 2404800    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-17 17:02:41 UTC 
OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.