hashicorp · biazmoreira · Sep 25, 2025 · Sep 23, 2025 · Sep 23, 2025 · Sep 23, 2025
@@ -280,6 +280,42 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co
   this listener. The default configuration will honor the global
   [configuration](/vault/docs/configuration/request-limiter).
 
+  The JSON parsing limits like `max_json_depth` and `max_json_token` have
+  intentionally permissive defaults to suport a wide range of use cases. The
+  primary constraints on parsing limits are available RAM and CPU. We recommend
+  tuning your JSON parsing limits down from the defaults to match your specific
+  application needs and available resourcess. Due to the way the parsing limits
+  interact, running with permissive defaults in a low-resource environment like
+  a lightweight container can increase the risk that a large, complex JSON
+  payload could exhaust the available resources.
+
+- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON
+  payload. Limiting object depth mitigates the risk of stack exhaustion from
+  deeply nested objects, which could lead to a Denial of Service (DoS).
+
+- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed
+  length in bytes for a single string value within a JSON payload. Limiting
+  string length provides a critical defense against excessive memory allocation
+  attacks where a client might send a very large string to exhaust server memory.
+  Defaults to 1MB.
+
+- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of
+  key-value pairs allowed in a single JSON object. Limiting the entry count on
+  JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks
+  and prevents general resource exhaustion from objects with an excessive number
+  of entries.
+
+- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number
+  of elements permitted in a single JSON array. Limiting the number of array
+  elements prevents a single request from causing excessive memory consumption
+  when processing large lists.
+
+- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens
+  (e.g., keys, values, braces, brackets) permitted in a single JSON payload.
+  Setting a limit on tokens acts as an overall complexity limit to provide a
+  safeguard against attacks that use a huge number of small elements to exhaust
+  CPU and memory.
+
 ### `telemetry` parameters
 
 - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows

@@ -297,6 +297,42 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co
 - `disable_replication_status_endpoints` `(bool: false)` - Disables replication
   status endpoints for the configured listener when set to `true`.
 
+  The JSON parsing limits like `max_json_depth` and `max_json_token` have
+  intentionally permissive defaults to suport a wide range of use cases. The
+  primary constraints on parsing limits are available RAM and CPU. We recommend
+  tuning your JSON parsing limits down from the defaults to match your specific
+  application needs and available resourcess. Due to the way the parsing limits
+  interact, running with permissive defaults in a low-resource environment like
+  a lightweight container can increase the risk that a large, complex JSON
+  payload could exhaust the available resources.
+
+- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON
+  payload. Limiting object depth mitigates the risk of stack exhaustion from
+  deeply nested objects, which could lead to a Denial of Service (DoS).
+
+- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed
+  length in bytes for a single string value within a JSON payload. Limiting
+  string length provides a critical defense against excessive memory allocation
+  attacks where a client might send a very large string to exhaust server memory.
+  Defaults to 1MB.
+
+- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of
+  key-value pairs allowed in a single JSON object. Limiting the entry count on
+  JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks
+  and prevents general resource exhaustion from objects with an excessive number
+  of entries.
+
+- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number
+  of elements permitted in a single JSON array. Limiting the number of array
+  elements prevents a single request from causing excessive memory consumption
+  when processing large lists.
+
+- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens
+  (e.g., keys, values, braces, brackets) permitted in a single JSON payload.
+  Setting a limit on tokens acts as an overall complexity limit to provide a
+  safeguard against attacks that use a huge number of small elements to exhaust
+  CPU and memory.
+
 ### `telemetry` parameters
 
 - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows

@@ -297,6 +297,42 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co
 - `disable_replication_status_endpoints` `(bool: false)` - Disables replication
   status endpoints for the configured listener when set to `true`.
 
+  The JSON parsing limits like `max_json_depth` and `max_json_token` have
+  intentionally permissive defaults to suport a wide range of use cases. The
+  primary constraints on parsing limits are available RAM and CPU. We recommend
+  tuning your JSON parsing limits down from the defaults to match your specific
+  application needs and available resourcess. Due to the way the parsing limits
+  interact, running with permissive defaults in a low-resource environment like
+  a lightweight container can increase the risk that a large, complex JSON
+  payload could exhaust the available resources.
+
+- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON
+  payload. Limiting object depth mitigates the risk of stack exhaustion from
+  deeply nested objects, which could lead to a Denial of Service (DoS).
+
+- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed
+  length in bytes for a single string value within a JSON payload. Limiting
+  string length provides a critical defense against excessive memory allocation
+  attacks where a client might send a very large string to exhaust server memory.
+  Defaults to 1MB.
+
+- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of
+  key-value pairs allowed in a single JSON object. Limiting the entry count on
+  JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks
+  and prevents general resource exhaustion from objects with an excessive number
+  of entries.
+
+- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number
+  of elements permitted in a single JSON array. Limiting the number of array
+  elements prevents a single request from causing excessive memory consumption
+  when processing large lists.
+
+- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens
+  (e.g., keys, values, braces, brackets) permitted in a single JSON payload.
+  Setting a limit on tokens acts as an overall complexity limit to provide a
+  safeguard against attacks that use a huge number of small elements to exhaust
+  CPU and memory.
+
 ### `telemetry` parameters
 
 - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows

@@ -297,6 +297,42 @@ default value in the `"/sys/config/ui"` [API endpoint](/vault/api-docs/system/co
 - `disable_replication_status_endpoints` `(bool: false)` - Disables replication
   status endpoints for the configured listener when set to `true`.
 
+  The JSON parsing limits like `max_json_depth` and `max_json_token` have
+  intentionally permissive defaults to suport a wide range of use cases. The
+  primary constraints on parsing limits are available RAM and CPU. We recommend
+  tuning your JSON parsing limits down from the defaults to match your specific
+  application needs and available resourcess. Due to the way the parsing limits
+  interact, running with permissive defaults in a low-resource environment like
+  a lightweight container can increase the risk that a large, complex JSON
+  payload could exhaust the available resources.
+
+- `max_json_depth` `(int: 500)` – Specifies the maximum nesting depth of a JSON
+  payload. Limiting object depth mitigates the risk of stack exhaustion from
+  deeply nested objects, which could lead to a Denial of Service (DoS).
+
+- `max_json_string_value_length` `(int: 1048576)` – Defines the maximum allowed
+  length in bytes for a single string value within a JSON payload. Limiting
+  string length provides a critical defense against excessive memory allocation
+  attacks where a client might send a very large string to exhaust server memory.
+  Defaults to 1MB.
+
+- `max_json_object_entry_count` `(int: 10000)` – Sets the maximum number of
+  key-value pairs allowed in a single JSON object. Limiting the entry count on
+  JSON objects helps mitigate hash-collision Denial of Service (HashDoS) attacks
+  and prevents general resource exhaustion from objects with an excessive number
+  of entries.
+
+- `max_json_array_element_count` `(int: 10000)` – Determines the maximum number
+  of elements permitted in a single JSON array. Limiting the number of array
+  elements prevents a single request from causing excessive memory consumption
+  when processing large lists.
+
+- `max_json_token` `(int: 500000)` – Sets the maximum total number of tokens
+  (e.g., keys, values, braces, brackets) permitted in a single JSON payload.
+  Setting a limit on tokens acts as an overall complexity limit to provide a
+  safeguard against attacks that use a huge number of small elements to exhaust
+  CPU and memory.
+
 ### `telemetry` parameters
 
 - `unauthenticated_metrics_access` `(bool: false)` - If set to true, allows