CVE-2025-12044
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-12-23

Assigner: HashiCorp Inc.

Description
Vault and Vault Enterprise (β€œVault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]Β  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-12-23
Generated
2026-05-07
AI Q&A
2025-10-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12044
EUVD
EUVD-2025-35718
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
hashicorp vault From 1.16.25 (inc) to 1.16.27 (exc)
hashicorp vault From 1.18.14 (inc) to 1.18.15 (inc)
hashicorp vault From 1.19.9 (inc) to 1.19.11 (inc)
hashicorp vault From 1.20.3 (inc) to 1.20.5 (exc)
hashicorp vault From 1.20.3 (inc) to 1.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-12044 is an unauthenticated denial of service (DoS) vulnerability in HashiCorp Vault and Vault Enterprise. It occurs because of a regression where Vault processes JSON payloads before applying rate limits, allowing attackers to send large but valid JSON requests repeatedly. This consumes excessive CPU and memory resources, potentially causing the service to become unavailable or crash. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by causing service unavailability or crashes in Vault due to resource exhaustion. Attackers can exploit it without authentication by sending specially crafted JSON payloads that bypass rate limits, leading to denial of service and disruption of Vault operations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusually high CPU and memory usage on Vault servers caused by processing large but valid JSON payloads repeatedly. Since the issue involves unauthenticated denial of service via JSON payloads, you can look for repeated JSON requests below the maximum request size threshold that consume excessive resources. Specific commands are not provided in the resources, but general monitoring commands such as 'top', 'htop', or 'ps' on the Vault server to observe CPU and memory usage, and network monitoring tools to detect repeated JSON payload requests may help identify exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Vault to the fixed versions: Vault Community Edition 1.21.0 or Vault Enterprise versions 1.16.27, 1.19.11, 1.20.5, or 1.21.0. Until the upgrade is applied, operators can configure tunable rate limits and resource quotas, but due to the regression, these may be ineffective against certain payloads. Therefore, upgrading is the recommended mitigation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart