CVE-2025-12044
📋 TL;DR
Vault and Vault Enterprise are vulnerable to unauthenticated denial of service attacks when processing JSON payloads due to a regression in rate limiting. This allows attackers to send specially crafted JSON requests to exhaust system resources and cause service disruption. All users running vulnerable versions of Vault are affected.
💻 Affected Systems
- Vault Community Edition
- Vault Enterprise
📦 What is this software?
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
Vault by Hashicorp
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage making Vault unavailable for authentication, secrets management, and encryption services, potentially disrupting dependent applications and workflows.
Likely Case
Service degradation or temporary unavailability affecting authentication flows, secret retrieval, and encryption operations until the attack stops or systems recover.
If Mitigated
Minimal impact with proper network controls, rate limiting at infrastructure level, and monitoring to detect and block attack patterns quickly.
🎯 Exploit Status
The vulnerability is a regression from a previously fixed issue, suggesting similar exploitation techniques may work. Unauthenticated nature makes weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Vault Community Edition 1.21.0, Vault Enterprise 1.16.27, 1.19.11, 1.20.5, or 1.21.0
Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2025-31-vault-vulnerable-to-denial-of-service-due-to-rate-limit-regression/76710
Restart Required: Yes
Instructions:
1. Download patched version from HashiCorp releases. 2. Backup Vault configuration and data. 3. Stop Vault service. 4. Install patched version. 5. Restart Vault service. 6. Verify service functionality.
🔧 Temporary Workarounds
Network-level rate limiting
allImplement rate limiting at load balancer or firewall level to restrict JSON payload requests
API gateway protection
allDeploy API gateway with request validation and size limits for JSON payloads
🧯 If You Can't Patch
- Implement strict network ACLs to restrict Vault API access to trusted sources only
- Deploy WAF with JSON payload inspection and request throttling capabilities
🔍 How to Verify
Check if Vulnerable:
Check Vault version via API: curl -s http://vault-server:8200/v1/sys/health | grep versionCheck Version:
vault versionVerify Fix Applied:
Confirm version is patched: vault version should show 1.21.0+ for Community or 1.16.27+/1.19.11+/1.20.5+/1.21.0+ for Enterprise📡 Detection & Monitoring
Log Indicators:
- High volume of JSON parsing errors
- Increased memory/CPU usage spikes
- Request timeouts on API endpoints
Network Indicators:
- Unusual volume of POST requests with JSON payloads
- Requests with malformed or complex JSON structures
SIEM Query:
source="vault" AND ("json parse" OR "rate limit") AND severity=ERROR | stats count by src_ip