CVE-2025-11375
📋 TL;DR
Consul's event endpoint is vulnerable to denial of service (DoS) attacks due to lack of validation on Content-Length headers, allowing attackers to send excessively large requests that consume server resources. This affects all Consul deployments with vulnerable versions that have the event endpoint enabled. The vulnerability can cause service disruption by exhausting memory or processing capacity.
💻 Affected Systems
- Consul Community Edition
- Consul Enterprise
📦 What is this software?
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
Consul by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of Consul cluster, disrupting service discovery and configuration management for dependent applications
Likely Case
Degraded performance or temporary unavailability of Consul services, impacting service discovery and health checks
If Mitigated
Minimal impact with proper network controls and monitoring in place
🎯 Exploit Status
Exploitation requires network access to Consul API and knowledge of the event endpoint
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consul Community Edition 1.22.0, Consul Enterprise 1.22.0, 1.21.6, 1.20.8, 1.18.12
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-28-consuls-event-endpoint-is-vulnerable-to-denial-of-service/76723
Restart Required: No
Instructions:
1. Download the patched version from HashiCorp releases. 2. Replace the Consul binary with the patched version. 3. No restart required - the fix is applied immediately to new connections.
🔧 Temporary Workarounds
Disable Event Endpoint
allDisable the vulnerable event endpoint if not required
Set 'disable_anonymous_event_endpoint = true' in Consul configuration
Network Access Control
allRestrict access to Consul API endpoints
Configure firewall rules to limit access to Consul API (default port 8500)
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Consul API
- Deploy rate limiting or WAF protection for Consul endpoints
🔍 How to Verify
Check if Vulnerable:
Check Consul version and compare against patched versions. If event endpoint is enabled on vulnerable versions, system is vulnerable.Check Version:
consul versionVerify Fix Applied:
Verify Consul version is 1.22.0 or higher, or one of the specific patched enterprise versions📡 Detection & Monitoring
Log Indicators:
- Unusually large HTTP requests to /v1/event/fire endpoint
- High memory consumption by Consul process
- Error logs indicating request size limits exceeded
Network Indicators:
- Large HTTP POST requests to Consul API port 8500
- Abnormal traffic patterns to event endpoint
SIEM Query:
source="consul.log" AND ("event/fire" AND content_length>1000000) OR "request too large"