CVE-2025-4166 — Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin

Description

Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

How to fix CVE-2025-4166

To remediate CVE-2025-4166, upgrade the affected package to a fixed version below.

—upgrade to 1.19.3 or later
—upgrade to 1.19.3 or later
—upgrade to 1.19.3 or later

Is CVE-2025-4166 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

>= 0.3.0, < 1.19.3
>= 0.3.0, < 1.19.3
>= 0.3.0, < 1.19.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

References (5)

ADVISORYgithub.com/advisories/GHSA-gcqf-f89c-68hv
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-4166
PATCHgithub.com/hashicorp/vault
WEBdiscuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin