CVE-2025-11375
published 2025-10-28CVE-2025-11375: Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.40%
32.0th percentile
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | consul | — | — |
| github.com | hashicorp_consul | >= 0 < 1.22.0 | 1.22.0 |
| hashicorp | consul | < 1.18.12 | 1.18.12 |
| hashicorp | consul | < 1.22.0 | 1.22.0 |
| hashicorp | consul | >= 1.19.0 < 1.20.8 | 1.20.8 |
| hashicorp | consul | >= 1.21.0 < 1.21.6 | 1.21.6 |
| hashicorp | consul_enterprise | < 1.22.0 | 1.22.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul
osv·2025-11-05
CVE-2025-11375 Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul
Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul
Consul event endpoint is vulnerable to denial of service in github.com/hashicorp/consul
GHSA
Consul event endpoint is vulnerable to denial of service
ghsa·2025-10-28·CVSS 6.5
CVE-2025-11375 [MEDIUM] CWE-770 Consul event endpoint is vulnerable to denial of service
Consul event endpoint is vulnerable to denial of service
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
OSV
Consul event endpoint is vulnerable to denial of service
osv·2025-10-28·CVSS 6.5
CVE-2025-11375 [MEDIUM] Consul event endpoint is vulnerable to denial of service
Consul event endpoint is vulnerable to denial of service
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
OSV
CVE-2025-11375: Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length h
osv·2025-10-28·CVSS 6.5
CVE-2025-11375 [MEDIUM] CVE-2025-11375: Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length h
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Red Hat
github.com/hashicorp/consul: Consul's event endpoint is vulnerable to denial of service
vendor_redhat·2025-10-28·CVSS 6.5
CVE-2025-11375 [MEDIUM] CWE-770 github.com/hashicorp/consul: Consul's event endpoint is vulnerable to denial of service
github.com/hashicorp/consul: Consul's event endpoint is vulnerable to denial of service
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
A denial of service flaw has been discovered in Hashicorp Consul. The event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation ba
Debian
CVE-2025-11375: consul - Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial...
vendor_debian·2025·CVSS 6.5
CVE-2025-11375 [MEDIUM] CVE-2025-11375: consul - Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial...
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Length header. This vulnerability, CVE-2025-11375, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-2808 [HIGH] CVE-2026-2808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2808 :
Consul vulnerability analysis and mitigation
HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.
Source : NVD
## 6.8
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Consul
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:hashicorp:consul
consul
Sources
NVD
Debian 11 Severity MEDIUM No Fix Added at: Mar 13, 2026
GoLang Severity MEDIUM Has Fix Added at: Mar 13,
Bugzilla
CVE-2025-11375 golang-github-hashicorp-consul: Consul's event endpoint is vulnerable to denial of service [fedora-42]
bugzilla·2025-10-29·CVSS 6.5
CVE-2025-11375 [MEDIUM] CVE-2025-11375 golang-github-hashicorp-consul: Consul's event endpoint is vulnerable to denial of service [fedora-42]
CVE-2025-11375 golang-github-hashicorp-consul: Consul's event endpoint is vulnerable to denial of service [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fed
2025-10-28
Published