Published on October 23, 2025, these flaws affect both Vault Community Edition and Vault Enterprise, prompting urgent recommendations for upgrades.
The issues, tracked as CVE-2025-12044 and CVE-2025-11621, stem from misconfigurations in resource handling and authentication caching, potentially exposing sensitive data in enterprise environments.
Vault, a widely used tool for secrets management, encryption, and identity-based access, serves as a cornerstone for secure operations in cloud and hybrid infrastructures.
These vulnerabilities highlight ongoing challenges in balancing performance with robust security, especially as organizations increasingly rely on automated authentication methods like AWS integration.
The first vulnerability, CVE-2025-12044 (HCSEC-2025-30), enables an unauthenticated DoS attack by exploiting a regression in JSON payload processing.
This flaw arises from a previous fix for HCSEC-2025-24, which addressed complex JSON payloads that could exhaust resources.
In affected versions, Vault applies rate limits after parsing incoming JSON requests rather than before, allowing attackers to flood the system with large, valid payloads under the max_request_size threshold.
Operators configure tunable rate limits and resource quotas in Vault to prevent abuse, but this ordering error lets repeated requests consume excessive CPU and memory.
The result? Service unavailability or outright crashes disrupt access to critical secrets and keys. No CVSS score was immediately provided, but the unauthenticated nature elevates its severity, which HashiCorp rates as high risk.
This issue impacts Vault Community Edition versions 1.20.3 to 1.20.4, with fixes available in 1.21.0.
For Vault Enterprise, affected releases span 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, patched in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
The second vulnerability, CVE-2025-11621 (also HCSEC-2025-30), poses an even graver threat by allowing authentication bypass in Vault’s AWS Auth method.
This method automates token retrieval for IAM principals and EC2 instances, but a flaw in the caching logic fails to validate the AWS account ID.
If the bound_principal_iam role matches across accounts or uses wildcards, an attacker from a different account can impersonate a legitimate user, leading to unauthorized access, data exposure, and privilege escalation.
A parallel issue affects the EC2 authentication method, where cache lookups only check AMI IDs, not account IDs, enabling cross-account attacks.
Discovered by security researcher Pavlos Karakalidis, who coordinated disclosure with HashiCorp, this flaw underscores the risks of wildcard configurations in multi-account setups.
Affected versions are broader: Vault Community Edition from 0.6.0 to 1.20.4 (fixed in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (fixed in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).
| CVE ID | Description | Affected Products/Versions | CVSS Score | Fix Versions |
|---|---|---|---|---|
| CVE-2025-12044 | Unauthenticated DoS via JSON payloads | Community: 1.20.3-1.20.4 Enterprise: 1.20.3-1.20.4, 1.19.9-1.19.10, 1.18.14-1.18.15, 1.16.25-1.16.26 | High (est.) | Community: 1.21.0 Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27 |
| CVE-2025-11621 | AWS/EC2 auth bypass via cache flaw | Community: 0.6.0-1.20.4 Enterprise: 0.6.0-1.20.4, 1.19.10, 1.18.15, 1.16.26 | High | Community: 1.21.0 Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27 |
HashiCorp urges immediate upgrades to patched versions, following the official upgrading guide.
For those unable to update promptly, review AWS auth configurations: eliminate wildcards in bound_principal_iam and audit for role name collisions across accounts. Enable stricter account ID validation where possible.
These vulnerabilities arrive amid rising scrutiny on secrets management tools, as attackers target them for initial footholds. Organizations using Vault in production should prioritize patching to safeguard against exploitation, which could cascade into broader breaches.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post HashiCorp Vault Vulnerabilities Let Attack Bypass Authentication And Trigger DoS Attack appeared first on Cyber Security News.
Hi, Swifties. We don’t tend to have a lot in the way of Taylor Swift…
Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion…
A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of…
Cynthia Whitaker sat alone on a bench at center stage, her face bathed in a…
Brilliant Minds and Stumble have both been canceled at NBC. Entertainment Weekly reported that the…
We noted this last month, but we really mean it in May: Things are starting…
This website uses cookies.