From 858b9bf072cf28a1ba17fd60c0abd2e82469d75d Mon Sep 17 00:00:00 2001 From: Bianca Moreira Date: Tue, 23 Sep 2025 08:12:29 +0200 Subject: [PATCH 01/25] Add documentation about new Vault Listener params --- .../docs/configuration/listener/tcp/index.mdx | 23 +++++++++++++++++++ .../docs/configuration/listener/tcp/index.mdx | 23 +++++++++++++++++++ .../docs/configuration/listener/tcp/index.mdx | 23 +++++++++++++++++++ .../docs/configuration/listener/tcp/index.mdx | 23 +++++++++++++++++++ 4 files changed, 92 insertions(+) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index 3617a7be7e..9285d16f7b 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -280,6 +280,29 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co this listener. The default configuration will honor the global [configuration](/vault/docs/configuration/request-limiter). + ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. + This is a security control to mitigate the risk of stack exhaustion from deeply nested + objects, which could lead to a Denial of Service (DoS). + +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes + for a single string value within a JSON payload. This is a critical defense against excessive memory + allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. + +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs + allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) + attacks and prevents general resource exhaustion from objects with an excessive number of entries. + +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements + permitted in a single JSON array. This prevents a single request from causing excessive memory + consumption when processing large lists. + +- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall + complexity limit, providing a safeguard against attacks that use a huge number of small elements + to exhaust CPU and memory. + ### `telemetry` parameters - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index 2fe9fd3166..4789d16764 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,6 +297,29 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. + ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. + This is a security control to mitigate the risk of stack exhaustion from deeply nested + objects, which could lead to a Denial of Service (DoS). + +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes + for a single string value within a JSON payload. This is a critical defense against excessive memory + allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. + +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs + allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) + attacks and prevents general resource exhaustion from objects with an excessive number of entries. + +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements + permitted in a single JSON array. This prevents a single request from causing excessive memory + consumption when processing large lists. + +- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall + complexity limit, providing a safeguard against attacks that use a huge number of small elements + to exhaust CPU and memory. + ### `telemetry` parameters - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index 2fe9fd3166..4789d16764 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,6 +297,29 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. + ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. + This is a security control to mitigate the risk of stack exhaustion from deeply nested + objects, which could lead to a Denial of Service (DoS). + +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes + for a single string value within a JSON payload. This is a critical defense against excessive memory + allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. + +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs + allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) + attacks and prevents general resource exhaustion from objects with an excessive number of entries. + +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements + permitted in a single JSON array. This prevents a single request from causing excessive memory + consumption when processing large lists. + +- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall + complexity limit, providing a safeguard against attacks that use a huge number of small elements + to exhaust CPU and memory. + ### `telemetry` parameters - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index 2fe9fd3166..4789d16764 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,6 +297,29 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. + ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. + This is a security control to mitigate the risk of stack exhaustion from deeply nested + objects, which could lead to a Denial of Service (DoS). + +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes + for a single string value within a JSON payload. This is a critical defense against excessive memory + allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. + +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs + allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) + attacks and prevents general resource exhaustion from objects with an excessive number of entries. + +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements + permitted in a single JSON array. This prevents a single request from causing excessive memory + consumption when processing large lists. + +- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall + complexity limit, providing a safeguard against attacks that use a huge number of small elements + to exhaust CPU and memory. + ### `telemetry` parameters - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows From e5cc8922058a991437f17e5ba66ba6bbaae5bd43 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:04:18 +0200 Subject: [PATCH 02/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index 9285d16f7b..4a8150c75c 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -280,7 +280,14 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co this listener. The default configuration will honor the global [configuration](/vault/docs/configuration/request-limiter). - ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + The JSON parsing limits like `max_json_depth` and `max_json_token` have + intentionally permissive defaults to suport a wide range of use cases. The + primary constraints on parsing limits are available RAM and CPU. We recommend + tuning your JSON parsing limits down from the defaults to match your specific + application needs and available resourcess. Due to the way the parsing limits + interact, running with permissive defaults in a low-resource environment like + a lightweight container can increase the risk that a large, complex JSON + payload could exhaust the available resources. - `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. This is a security control to mitigate the risk of stack exhaustion from deeply nested From 26227a792c5c9f91999574f412002862b1ee1c6e Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:04:25 +0200 Subject: [PATCH 03/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index 4789d16764..75b50a78fd 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,7 +297,14 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. - ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + The JSON parsing limits like `max_json_depth` and `max_json_token` have + intentionally permissive defaults to suport a wide range of use cases. The + primary constraints on parsing limits are available RAM and CPU. We recommend + tuning your JSON parsing limits down from the defaults to match your specific + application needs and available resourcess. Due to the way the parsing limits + interact, running with permissive defaults in a low-resource environment like + a lightweight container can increase the risk that a large, complex JSON + payload could exhaust the available resources. - `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. This is a security control to mitigate the risk of stack exhaustion from deeply nested From 655b2d52b01eff999b093c119238158ef120bbf0 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:04:33 +0200 Subject: [PATCH 04/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index 4789d16764..75b50a78fd 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,7 +297,14 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. - ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + The JSON parsing limits like `max_json_depth` and `max_json_token` have + intentionally permissive defaults to suport a wide range of use cases. The + primary constraints on parsing limits are available RAM and CPU. We recommend + tuning your JSON parsing limits down from the defaults to match your specific + application needs and available resourcess. Due to the way the parsing limits + interact, running with permissive defaults in a low-resource environment like + a lightweight container can increase the risk that a large, complex JSON + payload could exhaust the available resources. - `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. This is a security control to mitigate the risk of stack exhaustion from deeply nested From 3ad75c0a9fc00d2bfaa7c8560f5ad389f3f4f8f9 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:04:39 +0200 Subject: [PATCH 05/25] Update content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index 4789d16764..75b50a78fd 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -297,7 +297,14 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co - `disable_replication_status_endpoints` `(bool: false)` - Disables replication status endpoints for the configured listener when set to `true`. - ~> **Warning**: The JSON parsing limits (`max_json_depth`, `max_json_token`, etc.) are related, and their default values are intentionally permissive to support a wide range of use cases. These limits are resource-constrained, primarily by available RAM and CPU. Operators should tune these values down from the defaults to match their specific application needs and the resources available to their Vault cluster. Running with permissive defaults in a low-resource environment (such as a lightweight container) increases the risk that a large, complex JSON payload could cause resource exhaustion. + The JSON parsing limits like `max_json_depth` and `max_json_token` have + intentionally permissive defaults to suport a wide range of use cases. The + primary constraints on parsing limits are available RAM and CPU. We recommend + tuning your JSON parsing limits down from the defaults to match your specific + application needs and available resourcess. Due to the way the parsing limits + interact, running with permissive defaults in a low-resource environment like + a lightweight container can increase the risk that a large, complex JSON + payload could exhaust the available resources. - `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. This is a security control to mitigate the risk of stack exhaustion from deeply nested From 6b04e60e9bceaed2744c2ea901cf7fe094b50f72 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:04:46 +0200 Subject: [PATCH 06/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index 4a8150c75c..4efa3222ed 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -289,9 +289,9 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co a lightweight container can increase the risk that a large, complex JSON payload could exhaust the available resources. -- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. - This is a security control to mitigate the risk of stack exhaustion from deeply nested - objects, which could lead to a Denial of Service (DoS). +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON + payload. Limiting object depth mitigates the risk of stack exhaustion from + deeply nested objects, which could lead to a Denial of Service (DoS). - `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes for a single string value within a JSON payload. This is a critical defense against excessive memory From 32ee3812053712f5bca21f779a871622d54d5456 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:01 +0200 Subject: [PATCH 07/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index 75b50a78fd..cf921ba995 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -306,9 +306,9 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co a lightweight container can increase the risk that a large, complex JSON payload could exhaust the available resources. -- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. - This is a security control to mitigate the risk of stack exhaustion from deeply nested - objects, which could lead to a Denial of Service (DoS). +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON + payload. Limiting object depth mitigates the risk of stack exhaustion from + deeply nested objects, which could lead to a Denial of Service (DoS). - `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes for a single string value within a JSON payload. This is a critical defense against excessive memory From 65cddf6e8cf4ec381cc92f037224bded5cf0e7e0 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:08 +0200 Subject: [PATCH 08/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index cf921ba995..19a861a80d 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -323,9 +323,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co consumption when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens - (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall - complexity limit, providing a safeguard against attacks that use a huge number of small elements - to exhaust CPU and memory. + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. + Setting a limit on tokens acts as an overall complexity limit to provide a + safeguard against attacks that use a huge number of small elements to exhaust + CPU and memory. ### `telemetry` parameters From 301da4469c0f50555a7c52276dafb18dcf5ef015 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:15 +0200 Subject: [PATCH 09/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index 75b50a78fd..f48bb25e2f 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -323,9 +323,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co consumption when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens - (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall - complexity limit, providing a safeguard against attacks that use a huge number of small elements - to exhaust CPU and memory. + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. + Setting a limit on tokens acts as an overall complexity limit to provide a + safeguard against attacks that use a huge number of small elements to exhaust + CPU and memory. ### `telemetry` parameters From 39d74bd857f6b0a2f739c2edeb679470bbbd1c6f Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:22 +0200 Subject: [PATCH 10/25] Update content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index 75b50a78fd..f48bb25e2f 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -323,9 +323,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co consumption when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens - (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall - complexity limit, providing a safeguard against attacks that use a huge number of small elements - to exhaust CPU and memory. + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. + Setting a limit on tokens acts as an overall complexity limit to provide a + safeguard against attacks that use a huge number of small elements to exhaust + CPU and memory. ### `telemetry` parameters From cb45031178df615b85170b50214b50e97f4d1d94 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:35 +0200 Subject: [PATCH 11/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index f48bb25e2f..19a861a80d 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -306,9 +306,9 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co a lightweight container can increase the risk that a large, complex JSON payload could exhaust the available resources. -- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. - This is a security control to mitigate the risk of stack exhaustion from deeply nested - objects, which could lead to a Denial of Service (DoS). +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON + payload. Limiting object depth mitigates the risk of stack exhaustion from + deeply nested objects, which could lead to a Denial of Service (DoS). - `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes for a single string value within a JSON payload. This is a critical defense against excessive memory From fedb87bb9d7d8f9ca0648d8bb7e248f7f35df119 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:42 +0200 Subject: [PATCH 12/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index 19a861a80d..0974a61fcc 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -314,9 +314,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co for a single string value within a JSON payload. This is a critical defense against excessive memory allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. -- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs - allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) - attacks and prevents general resource exhaustion from objects with an excessive number of entries. +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of + key-value pairs allowed in a single JSON object. Limiting the entry count on + JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks + and prevents general resource exhaustion from objects with an excessive number + of entries. - `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements permitted in a single JSON array. This prevents a single request from causing excessive memory From 69f3459626ebcfcc1b5ee9e948d20c9c634b7207 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:05:49 +0200 Subject: [PATCH 13/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index 19a861a80d..0974a61fcc 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -314,9 +314,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co for a single string value within a JSON payload. This is a critical defense against excessive memory allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. -- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs - allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) - attacks and prevents general resource exhaustion from objects with an excessive number of entries. +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of + key-value pairs allowed in a single JSON object. Limiting the entry count on + JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks + and prevents general resource exhaustion from objects with an excessive number + of entries. - `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements permitted in a single JSON array. This prevents a single request from causing excessive memory From a691a92b816d63917a4e855f4c0deb9e737fa5e5 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:06:38 +0200 Subject: [PATCH 14/25] Update content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index f48bb25e2f..19a861a80d 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -306,9 +306,9 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co a lightweight container can increase the risk that a large, complex JSON payload could exhaust the available resources. -- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON payload. - This is a security control to mitigate the risk of stack exhaustion from deeply nested - objects, which could lead to a Denial of Service (DoS). +- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON + payload. Limiting object depth mitigates the risk of stack exhaustion from + deeply nested objects, which could lead to a Denial of Service (DoS). - `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes for a single string value within a JSON payload. This is a critical defense against excessive memory From c8a6f25148231a07bed5b2fee04e3f56dd055fd9 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:06:52 +0200 Subject: [PATCH 15/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index 4efa3222ed..d6bb53731c 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -293,9 +293,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co payload. Limiting object depth mitigates the risk of stack exhaustion from deeply nested objects, which could lead to a Denial of Service (DoS). -- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes - for a single string value within a JSON payload. This is a critical defense against excessive memory - allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed + length in bytes for a single string value within a JSON payload. Limiting + string length provides a critical defense against excessive memory allocation + attacks where a client might send a very large string to exhaust server memory. + Defaults to 1MB. - `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) From 436c0009029442dd89fc6b3e14636ef32c6bf2d0 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:07:14 +0200 Subject: [PATCH 16/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index 0974a61fcc..a1afe4745f 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -310,9 +310,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co payload. Limiting object depth mitigates the risk of stack exhaustion from deeply nested objects, which could lead to a Denial of Service (DoS). -- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes - for a single string value within a JSON payload. This is a critical defense against excessive memory - allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed + length in bytes for a single string value within a JSON payload. Limiting + string length provides a critical defense against excessive memory allocation + attacks where a client might send a very large string to exhaust server memory. + Defaults to 1MB. - `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs allowed in a single JSON object. Limiting the entry count on From 834a9df912eef5e2fe7e2436db3ecf03f068756e Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:07:28 +0200 Subject: [PATCH 17/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index 0974a61fcc..a1afe4745f 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -310,9 +310,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co payload. Limiting object depth mitigates the risk of stack exhaustion from deeply nested objects, which could lead to a Denial of Service (DoS). -- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes - for a single string value within a JSON payload. This is a critical defense against excessive memory - allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed + length in bytes for a single string value within a JSON payload. Limiting + string length provides a critical defense against excessive memory allocation + attacks where a client might send a very large string to exhaust server memory. + Defaults to 1MB. - `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs allowed in a single JSON object. Limiting the entry count on From 9df76be18700428fcae5edd63395ffa5ee84c5a7 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:07:40 +0200 Subject: [PATCH 18/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index d6bb53731c..c96cff0191 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -299,9 +299,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. -- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs - allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) - attacks and prevents general resource exhaustion from objects with an excessive number of entries. +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of + key-value pairs allowed in a single JSON object. Limiting the entry count on + JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks + and prevents general resource exhaustion from objects with an excessive number + of entries. - `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements permitted in a single JSON array. This prevents a single request from causing excessive memory From 80218691495fcdb9cf04e3dc0c92b130b416bfb1 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:07:56 +0200 Subject: [PATCH 19/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index c96cff0191..d2cab45556 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -305,9 +305,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co and prevents general resource exhaustion from objects with an excessive number of entries. -- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements - permitted in a single JSON array. This prevents a single request from causing excessive memory - consumption when processing large lists. +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number + of elements permitted in a single JSON array. Limiting the number of array + elements prevents a single request from causing excessive memory consumption + when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall From 8695ed6553495859d2200e1caa8abfa2c602c03b Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:08:05 +0200 Subject: [PATCH 20/25] Update content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx index d2cab45556..e7758c56a6 100644 --- a/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.16.x/content/docs/configuration/listener/tcp/index.mdx @@ -311,9 +311,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens - (e.g., keys, values, braces, brackets) permitted in a single JSON payload. This acts as an overall - complexity limit, providing a safeguard against attacks that use a huge number of small elements - to exhaust CPU and memory. + (e.g., keys, values, braces, brackets) permitted in a single JSON payload. + Setting a limit on tokens acts as an overall complexity limit to provide a + safeguard against attacks that use a huge number of small elements to exhaust + CPU and memory. ### `telemetry` parameters From 6fb1eaf1657efe6da98a7e9b6d5dc1e4458fbdee Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 20:08:41 +0200 Subject: [PATCH 21/25] Update content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx index a1afe4745f..c85799cef0 100644 --- a/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.18.x/content/docs/configuration/listener/tcp/index.mdx @@ -322,9 +322,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co and prevents general resource exhaustion from objects with an excessive number of entries. -- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements - permitted in a single JSON array. This prevents a single request from causing excessive memory - consumption when processing large lists. +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number + of elements permitted in a single JSON array. Limiting the number of array + elements prevents a single request from causing excessive memory consumption + when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens (e.g., keys, values, braces, brackets) permitted in a single JSON payload. From 5d846918daafada8744e6867049911222aa8a5b9 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 22:15:29 +0200 Subject: [PATCH 22/25] Update content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx index a1afe4745f..c85799cef0 100644 --- a/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.19.x/content/docs/configuration/listener/tcp/index.mdx @@ -322,9 +322,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co and prevents general resource exhaustion from objects with an excessive number of entries. -- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements - permitted in a single JSON array. This prevents a single request from causing excessive memory - consumption when processing large lists. +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number + of elements permitted in a single JSON array. Limiting the number of array + elements prevents a single request from causing excessive memory consumption + when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens (e.g., keys, values, braces, brackets) permitted in a single JSON payload. From 7bf1b32384c8fe6b55a2ee357021f4987e6778bb Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 22:15:59 +0200 Subject: [PATCH 23/25] Update content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index 19a861a80d..eca684fc53 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -310,9 +310,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co payload. Limiting object depth mitigates the risk of stack exhaustion from deeply nested objects, which could lead to a Denial of Service (DoS). -- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed length in bytes - for a single string value within a JSON payload. This is a critical defense against excessive memory - allocation attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. +- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed + length in bytes for a single string value within a JSON payload. Limiting + string length provides a critical defense against excessive memory allocation + attacks where a client might send a very large string to exhaust server memory. + Defaults to 1MB. - `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) From c28837e26f85cace02022fd6340ce277e5a7ba87 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 22:16:09 +0200 Subject: [PATCH 24/25] Update content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index eca684fc53..a1afe4745f 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -316,9 +316,11 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co attacks where a client might send a very large string to exhaust server memory. Defaults to 1MB. -- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of key-value pairs - allowed in a single JSON object. This helps mitigate hash-collision Denial of Service (HashDoS) - attacks and prevents general resource exhaustion from objects with an excessive number of entries. +- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of + key-value pairs allowed in a single JSON object. Limiting the entry count on + JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks + and prevents general resource exhaustion from objects with an excessive number + of entries. - `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements permitted in a single JSON array. This prevents a single request from causing excessive memory From 790600c8dd75e9d2258bfee614e3cbe96e5c4309 Mon Sep 17 00:00:00 2001 From: Bianca <48203644+biazmoreira@users.noreply.github.com> Date: Tue, 23 Sep 2025 22:16:31 +0200 Subject: [PATCH 25/25] Apply suggestions from code review Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- .../content/docs/configuration/listener/tcp/index.mdx | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx index a1afe4745f..c85799cef0 100644 --- a/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx +++ b/content/vault/v1.20.x/content/docs/configuration/listener/tcp/index.mdx @@ -322,9 +322,10 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co and prevents general resource exhaustion from objects with an excessive number of entries. -- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number of elements - permitted in a single JSON array. This prevents a single request from causing excessive memory - consumption when processing large lists. +- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number + of elements permitted in a single JSON array. Limiting the number of array + elements prevents a single request from causing excessive memory consumption + when processing large lists. - `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens (e.g., keys, values, braces, brackets) permitted in a single JSON payload.