CVE-2025-4656Synchronous Access of Remote Resource without Timeout in Vault Enterprise

CWE-1088Synchronous Access of Remote Resource without Timeout5 documents4 sources
Severity
3.1LOWNVD
EPSS
0.0%
top 92.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Hashicorp Vault EnterpriseGithub.com Hashicorp VaultHashicorp Vault
Timeline
PublishedJun 25
Latest updateJul 28

Description

Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

CVEListV5hashicorp/vault_enterprise1.14.81.20.0
NVDhashicorp/vault1.14.81.16.22+4
Gogithub.com/hashicorp_vault1.14.81.20.0

🔴Vulnerability Details

3
OSV
Vault Community Edition rekey and recovery key operations can cause denial of service in github.com/hashicorp/vault2025-07-28
OSV
Vault Community Edition rekey and recovery key operations can cause denial of service2025-06-26
GHSA
Vault Community Edition rekey and recovery key operations can cause denial of service2025-06-26

📋Vendor Advisories

1
Red Hat
github.com/hashicorp/vault: Vault Denial of Service2025-06-25