HashiCorp has disclosed two vital vulnerabilities in its Vault software program that would permit attackers to bypass authentication controls and launch denial-of-service (DoS) assaults.
Printed on October 23, 2025, these flaws have an effect on each Vault Neighborhood Version and Vault Enterprise, prompting pressing suggestions for upgrades.
The problems, tracked as CVE-2025-12044 and CVE-2025-11621, stem from misconfigurations in useful resource dealing with and authentication caching, doubtlessly exposing delicate information in enterprise environments.
Vault, a broadly used instrument for secrets and techniques administration, encryption, and identity-based entry, serves as a cornerstone for safe operations in cloud and hybrid infrastructures.
These vulnerabilities spotlight ongoing challenges in balancing efficiency with strong safety, particularly as organizations more and more depend on automated authentication strategies like AWS integration.
Denial-of-Service Flaw Via JSON Payload Exploitation
The primary vulnerability, CVE-2025-12044 (HCSEC-2025-30), allows an unauthenticated DoS assault by exploiting a regression in JSON payload processing.
This flaw arises from a earlier repair for HCSEC-2025-24, which addressed complicated JSON payloads that would exhaust assets.
In affected variations, Vault applies charge limits after parsing incoming JSON requests slightly than earlier than, permitting attackers to flood the system with giant, legitimate payloads underneath the max_request_size threshold.
Operators configure tunable charge limits and useful resource quotas in Vault to forestall abuse, however this ordering error lets repeated requests devour extreme CPU and reminiscence.
The consequence? Service unavailability or outright crashes disrupt entry to vital secrets and techniques and keys. No CVSS rating was instantly offered, however the unauthenticated nature elevates its severity, which HashiCorp charges as excessive threat.
This difficulty impacts Vault Neighborhood Version variations 1.20.3 to 1.20.4, with fixes accessible in 1.21.0.
For Vault Enterprise, affected releases span 1.20.3 to 1.20.4, 1.19.9 to 1.19.10, 1.18.14 to 1.18.15, and 1.16.25 to 1.16.26, patched in 1.21.0, 1.20.5, 1.19.11, and 1.16.27.
Authentication Bypass In AWS And EC2 Strategies
The second vulnerability, CVE-2025-11621 (additionally HCSEC-2025-30), poses an excellent graver menace by permitting authentication bypass in Vault’s AWS Auth methodology.
This methodology automates token retrieval for IAM principals and EC2 cases, however a flaw within the caching logic fails to validate the AWS account ID.
If the bound_principal_iam function matches throughout accounts or makes use of wildcards, an attacker from a unique account can impersonate a reputable person, resulting in unauthorized entry, information publicity, and privilege escalation.
A parallel difficulty impacts the EC2 authentication methodology, the place cache lookups solely test AMI IDs, not account IDs, enabling cross-account assaults.
Found by safety researcher Pavlos Karakalidis, who coordinated disclosure with HashiCorp, this flaw underscores the dangers of wildcard configurations in multi-account setups.
Affected variations are broader: Vault Neighborhood Version from 0.6.0 to 1.20.4 (mounted in 1.21.0), and Vault Enterprise from 0.6.0 to 1.20.4, plus 1.19.10, 1.18.15, and 1.16.26 (mounted in 1.21.0, 1.20.5, 1.19.11, and 1.16.27).
CVE IDDescriptionAffected Merchandise/VersionsCVSS ScoreFix VersionsCVE-2025-12044Unauthenticated DoS through JSON payloadsCommunity: 1.20.3-1.20.4Enterprise: 1.20.3-1.20.4, 1.19.9-1.19.10, 1.18.14-1.18.15, 1.16.25-1.16.26High (est.)Neighborhood: 1.21.0Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27CVE-2025-11621AWS/EC2 auth bypass through cache flawCommunity: 0.6.0-1.20.4Enterprise: 0.6.0-1.20.4, 1.19.10, 1.18.15, 1.16.26HighCommunity: 1.21.0Enterprise: 1.21.0, 1.20.5, 1.19.11, 1.16.27
Mitigations
HashiCorp urges fast upgrades to patched variations, following the official upgrading information.
For these unable to replace promptly, evaluate AWS auth configurations: get rid of wildcards in bound_principal_iam and audit for function identify collisions throughout accounts. Allow stricter account ID validation the place doable.
These vulnerabilities arrive amid rising scrutiny on secrets and techniques administration instruments, as attackers goal them for preliminary footholds. Organizations utilizing Vault in manufacturing ought to prioritize patching to safeguard in opposition to exploitation, which might cascade into broader breaches.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
