2406098 – (CVE-2025-12044) CVE-2025-12044 github.com/hashicorp/vault: Vault Vulnerable to Denial of Service Due to Rate Limit Regression

Bug 2406098 (CVE-2025-12044) - CVE-2025-12044 github.com/hashicorp/vault: Vault Vulnerable to Denial of Service Due to Rate Limit Regression

Summary: CVE-2025-12044 github.com/hashicorp/vault: Vault Vulnerable to Denial of Serv...

Keywords:
Status:	NEW
Alias:	CVE-2025-12044
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2415671 2415672 2415673 2415675 2415677 2415679 2415680 2415681 2415682
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-23 20:01 UTC by OSIDB Bzimport
Modified:	2025-11-18 17:41 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-23 20:01:45 UTC

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

Note You need to log in before you can comment on or make changes to this bug.