The vulnerability, tracked as CVE-2025-12044 under bulletin HCSEC-2025-31, represents a regression from a prior security fix and poses a significant risk to organizations that rely on Vault for secrets management and encryption key operations.
The flaw stems from an order-of-operations error introduced during remediation of HCSEC-2025-24, which inadvertently allows rate limiting to occur after JSON payload parsing rather than before.
An attacker can exploit this vulnerability by repeatedly sending crafted JSON payloads to a Vault instance without authentication. Since rate limiting is applied post-parse, each request undergoes complete JSON processing before being evaluated against rate limit quotas.
By submitting large but valid JSON requests that fall below the configured max_request_size threshold, attackers can bypass rate limit protections entirely.
Repeated processing of these payloads consumes significant CPU and memory resources, degrading Vault’s performance or causing complete service unavailability.
In worst-case scenarios, resource exhaustion can cause the Vault process to crash, rendering secrets inaccessible to legitimate applications and services that depend on the platform.
Vault’s architecture relies on configurable, tunable rate limits and resource quotas to prevent abuse. However, the processing order flaw means that operators implementing strict rate-limiting policies still face exposure to this attack vector.
The vulnerability fundamentally compromises the effectiveness of these protections, creating a direct path for unauthenticated attackers to impact production environments.
The vulnerability affects multiple release channels spanning several years of Vault versions. Vault Community Edition versions 1.20.3 to 1.20.4 require upgrading to 1.21.0.
Vault Enterprise customers running versions 1.16.25 to 1.16.26, 1.18.14 to 1.18.15, 1.19.9 to 1.19.10, or 1.20.3 to 1.20.4 should update to patched releases: 1.16.27, 1.19.11, 1.20.5, or 1.21.0 respectively.
HashiCorp recommends consulting its official upgrade documentation to plan appropriate migration paths for production deployments.
Organizations operating Vault instances should prioritize evaluating their exposure and planning expedited upgrades to prevent potential denial-of-service incidents.
Toni Tauro of Adfinis AG discovered the vulnerability through responsible disclosure coordination. Given the vulnerability’s unauthenticated nature and its direct impact on service availability, enterprises should treat it as a high-priority patch deployment requiring immediate attention.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Vulnerabilities in HashiCorp Vault Allow Attackers to Bypass Authentication and Launch DoS Attack appeared first on Cyber Security News.
Night Street Games, the studio founded by Imagine Dragons frontman Dan Reynolds and his brother…
Hi, Swifties. We don’t tend to have a lot in the way of Taylor Swift…
Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion…
A sophisticated adversarial campaign targeting South-East Asian government and military infrastructure, combining rapid exploitation of…
Cynthia Whitaker sat alone on a bench at center stage, her face bathed in a…
Brilliant Minds and Stumble have both been canceled at NBC. Entertainment Weekly reported that the…
This website uses cookies.