JSON Configurable limits Ignored when Forwarded by Standby nodes

Introduction 

Vault versions 1.16.25, 1.18.14, 1.19.9, 1.20.3, and 1.21.0 introduced tunable JSON limits as part of the listener tcp configuration.

The limits are correctly applied when a client request reaches the active node directly or when the request is handled by a Performance Standby node. However, a bug has been identified where these configured limits are ignored when a request is received by a non-performance Standby node and forwarded to the Active node. During this forwarding process, Vault fails to respect the custom values set in the configuration, enforcing default limits instead.

listener "tcp" {
...

  # JSON payload limits (only respected on active node or Performance Standby)
  max_json_depth                  = ...
  max_json_string_value_length    = ...
  max_json_object_entry_count     = ...
  max_json_array_element_count    = ...
}

This results in request failures for valid payloads that exceed default limits, even if the Vault configuration explicitly allows them.

Prerequisites

• This applies to Vault versions that include the JSON limit parameters (1.16.25, 1.18.14, 1.19.9, 1.20.3, 1.21.0 and later) when setup includes non-Performance standby nodes.

Problem Description

When a client sends a request containing a large JSON payload to a Vault cluster, the request may fail with one of the errors listed below, even if the relevant configuration parameters have been increased to accommodate the payload.

The error message depends on which specific threshold is being enforced (default values vs. configured values):

• {"errors":["JSON input exceeds allowed nesting depth"]}

• {"errors":["JSON string value exceeds allowed length"]}

• {"errors":["JSON object exceeds allowed entry count"]}

• {"errors":["JSON array exceeds allowed element count"]}

Cause

• When a non-performance standby node forwards a request to the active node, the custom JSON configuration limits are not propagated or applied to the forwarded request. Consequently, the active node evaluates the payload against its default limits, rejecting valid payloads that exceed these defaults.

Overview of possible solutions

• Until a fix is released, configure your Load Balancer or client to direct traffic specifically to the active node, bypassing standby nodes.

Additional Information

• https://developer.hashicorp.com/vault/docs/v1.20.x/updates/important-changes#json-payload-limits

• https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#tcp-listener-parameters

• https://github.com/hashicorp/vault/blob/main/CHANGELOG.md