CVE-2025-11375 — Allocation of Resources Without Limits or Throttling in Consul Enterprise

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 91.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hashicorp Consul Enterprise Github.com Hashicorp Consul Hashicorp Consul +1 more

Timeline

PublishedOct 28

Latest updateNov 5

Description

Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5hashicorp/consul_enterprise< 1.22.0

▶NVDhashicorp/consul1.19.0 — 1.20.8+3

▶Gogithub.com/hashicorp_consul< 1.22.0

▶debiandebian/consul

🔴Vulnerability Details

OSV

Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul↗2025-11-05

▶

GHSA

Consul event endpoint is vulnerable to denial of service↗2025-10-28

▶

OSV

Consul event endpoint is vulnerable to denial of service↗2025-10-28

▶

OSV

CVE-2025-11375: Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length h↗2025-10-28

▶

📋Vendor Advisories

Red Hat

github.com/hashicorp/consul: Consul's event endpoint is vulnerable to denial of service↗2025-10-28

▶

Debian

CVE-2025-11375: consul - Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2808 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶