CVE-2025-11374
📋 TL;DR
Consul's key/value endpoint is vulnerable to denial of service due to incorrect Content Length header validation. Attackers can send malformed requests to crash or degrade Consul service availability. This affects all Consul deployments with vulnerable versions exposed to network requests.
💻 Affected Systems
- Consul Community Edition
- Consul Enterprise
📦 What is this software?
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Consul cluster, disrupting service discovery, configuration management, and network segmentation for dependent applications.
Likely Case
Partial service degradation or intermittent crashes affecting Consul availability and performance.
If Mitigated
Minimal impact with proper network segmentation and request filtering in place.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with malformed Content-Length headers to the KV endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consul Community Edition 1.22.0, Consul Enterprise 1.22.0, 1.21.6, 1.20.8, 1.18.12
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-29-consuls-kv-endpoint-is-vulnerable-to-denial-of-service/76724
Restart Required: No
Instructions:
1. Identify affected Consul versions. 2. Upgrade to patched version. 3. Verify upgrade success. 4. Monitor for stability.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to Consul KV API endpoints using firewalls or network policies.
Load Balancer/Proxy Filtering
allConfigure load balancers or reverse proxies to filter malformed HTTP requests before reaching Consul.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Consul KV endpoints
- Deploy web application firewalls (WAF) to block malformed HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check Consul version and compare against affected versions. Test by attempting to send malformed Content-Length headers to KV endpoint.Check Version:
consul versionVerify Fix Applied:
Verify Consul version is patched and test that malformed Content-Length headers no longer cause service disruption.📡 Detection & Monitoring
Log Indicators:
- Consul process crashes
- High error rates in KV API logs
- Unusual HTTP request patterns with malformed headers
Network Indicators:
- Spike in HTTP requests to KV endpoint
- Requests with abnormal Content-Length values
SIEM Query:
source="consul" AND (error OR crash OR "malformed" OR "Content-Length")