CVE-2023-5954
Denial of Service vulnerability in vault (Go)
What is CVE-2023-5954 About?
This is a Denial of Service vulnerability in HashiCorp Vault Community Edition, triggered by complex JSON payloads. Attackers can exploit this to render the service unavailable by sending specially crafted, intricate JSON data. Due to the reliance on parsing complex data, exploitation could be moderately easy for an attacker with insight into the system's processing capabilities.
Affected Software
- github.com/hashicorp/vault
- >1.15.0, <1.15.2
- <1.13.10
- >1.14.0, <1.14.6
Technical Details
The vulnerability resides within HashiCorp Vault Community Edition and is triggered by the processing of 'complex JSON payloads.' This implies that certain JSON structures, likely deeply nested, excessively large, or containing specific, computationally intensive patterns, can cause the Vault application to consume disproportionate resources (CPU, memory, or both) during parsing and processing. When an attacker sends such a crafted complex JSON payload, the Vault instance becomes overloaded, unable to handle legitimate requests, and consequently enters a Denial of Service state. The attack vector involves sending these malicious JSON payloads to an endpoint that processes client-supplied JSON data, typically via the Vault API.
What is the Impact of CVE-2023-5954?
Successful exploitation may allow attackers to cause a denial of service, leading to the disruption of secret management services, unavailability of the Vault application, and potential interruption of critical infrastructure or applications relying on Vault.
What is the Exploitability of CVE-2023-5954?
Exploitation involves crafting and sending 'complex JSON payloads' to the vulnerable HashiCorp Vault instance. The complexity for an attacker lies in understanding what constitutes a 'complex' payload that triggers the resource exhaustion. Authentication requirements may vary depending on where these JSON payloads are processed; some endpoints might be accessible unauthenticated, while others require valid credentials. This is a remote vulnerability. Risk factors include publicly exposed Vault APIs and the potential for a low-privileged attacker to impact service availability by repeatedly sending these payloads.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-5954?
Available Upgrade Options
- github.com/hashicorp/vault
- <1.13.10 → Upgrade to 1.13.10
- github.com/hashicorp/vault
- >1.14.0, <1.14.6 → Upgrade to 1.14.6
- github.com/hashicorp/vault
- >1.15.0, <1.15.2 → Upgrade to 1.15.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-5954
- https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926
- https://osv.dev/vulnerability/GO-2023-2329
- https://github.com/advisories/GHSA-4qhc-v8r6-8vwm
- https://security.netapp.com/advisory/ntap-20231227-0001/
- https://github.com/hashicorp/vault
- https://security.netapp.com/advisory/ntap-20231227-0001
- https://discuss.hashicorp.com/t/hcsec-2023-33-vault-requests-triggering-policy-checks-may-lead-to-unbounded-memory-consumption/59926
What are Similar Vulnerabilities to CVE-2023-5954?
Similar Vulnerabilities: CVE-2023-5954 , CVE-2025-27144 , CVE-2022-22965 , CVE-2021-44228 , CVE-2020-1938
