CVE-2025-12044Allocation of Resources Without Limits or Throttling in Vault Enterprise

CWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 59.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultHashicorp Vault
Timeline
PublishedOct 23
Latest updateOct 30

Description

Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393] which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5,

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5hashicorp/vault_enterprise1.20.31.21.0+3
NVDhashicorp/vault1.16.251.16.27+4
Gogithub.com/hashicorp_vault1.20.31.21.0

🔴Vulnerability Details

3
OSV
Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON in github.com/hashicorp/vault2025-10-30
GHSA
Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON2025-10-23
OSV
Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON2025-10-23

📋Vendor Advisories

2
Red Hat
github.com/hashicorp/vault: Vault Vulnerable to Denial of Service Due to Rate Limit Regression2025-10-23
Citrix
Citrix Security Bulletin CTX249976