HashiCorp has disclosed a critical, unauthenticated denial-of-service vulnerability in Vault and Vault Enterprise that allows attackers to exhaust system resources via malicious JSON payloads.
The vulnerability, tracked as CVE-2025-12044 under bulletin HCSEC-2025-31, represents a regression from a prior security fix and poses a significant risk to organizations that rely on Vault for secrets management and encryption key operations.
The flaw stems from an order-of-operations error introduced during remediation of HCSEC-2025-24, which inadvertently allows rate limiting to occur after JSON payload parsing rather than before.
Technical Exploitation and Resource Exhaustion
An attacker can exploit this vulnerability by repeatedly sending crafted JSON payloads to a Vault instance without authentication. Since rate limiting is applied post-parse, each request undergoes complete JSON processing before being evaluated against rate limit quotas.
By submitting large but valid JSON requests that fall below the configured max_request_size threshold, attackers can bypass rate limit protections entirely.
Repeated processing of these payloads consumes significant CPU and memory resources, degrading Vault’s performance or causing complete service unavailability.
In worst-case scenarios, resource exhaustion can cause the Vault process to crash, rendering secrets inaccessible to legitimate applications and services that depend on the platform.
Vault’s architecture relies on configurable, tunable rate limits and resource quotas to prevent abuse. However, the processing order flaw means that operators implementing strict rate-limiting policies still face exposure to this attack vector.
The vulnerability fundamentally compromises the effectiveness of these protections, creating a direct path for unauthenticated attackers to impact production environments.
Affected Versions and Remediation Guidance
The vulnerability affects multiple release channels spanning several years of Vault versions. Vault Community Edition versions 1.20.3 to 1.20.4 require upgrading to 1.21.0.
Vault Enterprise customers running versions 1.16.25 to 1.16.26, 1.18.14 to 1.18.15, 1.19.9 to 1.19.10, or 1.20.3 to 1.20.4 should update to patched releases: 1.16.27, 1.19.11, 1.20.5, or 1.21.0 respectively.
HashiCorp recommends consulting its official upgrade documentation to plan appropriate migration paths for production deployments.
Organizations operating Vault instances should prioritize evaluating their exposure and planning expedited upgrades to prevent potential denial-of-service incidents.
Toni Tauro of Adfinis AG discovered the vulnerability through responsible disclosure coordination. Given the vulnerability’s unauthenticated nature and its direct impact on service availability, enterprises should treat it as a high-priority patch deployment requiring immediate attention.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
